I am trying to configure Celery on my Django web server securely and I can figure out two alternatives on achieving this. Either securing the broker or signing the messages.
Celery, needs a message broker in which case is RabbitMQ.
I am using a "RabbitMQ as a service" implementation, which means that the RabbitMQ server is reached through the internet using the amqp protocol.
The service provider distributes an amqp uri, and also supports amqps:
The "amqps" URI scheme is used to instruct a client to make an secured connection to the server.
In order to use amqps, celery needs the following configuration:
import ssl
BROKER_USE_SSL = {
'keyfile': '/var/ssl/private/worker-key.pem',
'certfile': '/var/ssl/amqp-server-cert.pem',
'ca_certs': '/var/ssl/myca.pem',
'cert_reqs': ssl.CERT_REQUIRED
}
Question:
Where can I find those .pem
files?
According to RabbitMQ docs, I have to create them myself and configure the RabbitMQ server to use them.
However, I am not running the server. As stated above I have a "RabbitMQ as a service" provider who supports amqps. Should I ask him to provide me with those .pem
files?
Celery, can also sign messages.
(Trying this approach, I get a No encoder installed for auth
error which I reported.)
Question: Does this mean that I can use my certificates to secure the connection as an alternative configuration to BROKER_USE_SSL
?
There is also a note regarding message signing:
auth serializer won’t encrypt the contents of a message, so if needed this will have to be enabled separately.
Subquestion: Does encrypting the contents of a message protect me from the "current" RabbitMQ server administrator while "message signing" only protects me while on the wire towards that server?
Apparently I am somehow confused but I would not like to create any kind of insecure traffic over the internet for any reason. I would appreciate your help.
When configuring for CloudAMQP, you need to set BROKER_USE_SSL to True and the BROKER_URL as shown below:
BROKER_USE_SSL = True
BROKER_URL = 'amqp://user:pass@hostname:5671/vhost'
Note the port number 5671, and keep 'amqp'.
If you are running your own Rabbit setup checkout this to make it secure.
https://www.rabbitmq.com/ssl.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With