以下是详细的配置步骤指南: Here is the detailed configuration guide:
1. 确认 RabbitMQ Management Plugin 的 TLS 配置
Verify RabbitMQ Management Plugin TLS Configuration
RabbitMQ 配置文件示例 (/etc/rabbitmq/rabbitmq.conf):RabbitMQ Configuration File Example (/etc/rabbitmq/rabbitmq.conf):
# 启用管理插件的 HTTPS 端口
# Enable Management Plugin HTTPS port
management.ssl.port = 15671
# 指定证书路径
# Specify certificate paths
management.ssl.cacertfile = /path/to/ca_certificate.pem
management.ssl.certfile = /path/to/server_certificate.pem
management.ssl.keyfile = /path/to/server_key.pem
# 证书验证设置
# Certificate verification settings
management.ssl.verify = verify_peer
management.ssl.fail_if_no_peer_cert = false验证 HTTPS 接口是否正常工作:Verify if HTTPS interface works properly:
curl -k -u : https://:15671/api/overview 2. 配置 RabbitMQ-Exporter 连接 TLS 加密的 RabbitMQ
Configure RabbitMQ-Exporter to Connect to TLS-encrypted RabbitMQ
方案 A: 使用 Docker Compose (推荐)
Solution A: Using Docker Compose (Recommended)
version: '3.8'
services:rabbitmq-exporter: image: kbudde/rabbitmq-exporter container_name: rabbitmq-exporter restart: unless-stopped ports: - "9419:9419" environment: # RabbitMQ 连接信息 - 使用 HTTPS # RabbitMQ Connection Info - Use HTTPS - RABBIT_URL=https://rabbitmq-server:15671 - RABBIT_USER=monitor_user - RABBIT_PASSWORD=your_password # TLS 配置选项 # TLS Configuration Options - SKIP_VERIFY=false # 生产环境设为 false - CA_CERT_FILE=/certs/ca_cert.pem # CA 证书路径 # Exporter 配置 # Exporter Configuration - PUBLISH_PORT=9419 - OUTPUT_FORMAT=JSON volumes: # 挂载证书文件 # Mount certificate files - ./tls/ca_cert.pem:/certs/ca_cert.pem:ro方案 B: 二进制文件直接运行
Solution B: Direct Binary Execution
./rabbitmq-exporter \ --rabbit.url="https://rabbitmq-host:15671" \ --rabbit.user="monitor_user" \ --rabbit.password="password" \ --ca-cert-file="/path/to/ca_certificate.pem" \ --skip-verify=false \ --publish-addr=":9419"3. 环境变量详解 / Environment Variables Explained
| 环境变量 / Environment Variable | 说明 / Description | 示例值 / Example Value |
|---|---|---|
RABBIT_URL | 必须使用 HTTPS / Must use HTTPS | https://host:15671 |
SKIP_VERIFY | 跳过证书验证 (测试用) / Skip certificate verification (for testing) | false (生产/production) |
CA_CERT_FILE | CA 证书文件路径 / CA certificate file path | /certs/ca.pem |
CLIENT_CERT_FILE | 客户端证书 (双向 TLS) / Client certificate (mutual TLS) | /certs/client.pem |
CLIENT_KEY_FILE | 客户端密钥 / Client private key | /certs/client-key.pem |
PUBLISH_PORT | Exporter 服务端口 / Exporter service port | 9419 |
4. Prometheus 配置 / Prometheus Configuration
scrape_configs:- job_name: 'rabbitmq-cluster-tls' static_configs: - targets: ['rabbitmq-exporter:9419'] metrics_path: '/metrics' labels: cluster: 'rabbitmq-tls-cluster' environment: 'production'5. 故障排查指南 / Troubleshooting Guide
检查 Exporter 日志 / Check Exporter Logs
docker logs rabbitmq-exporter
# 查找错误信息 / Look for error messages测试指标端点 / Test Metrics Endpoint
curl http://localhost:9419/metrics
# 应该返回 RabbitMQ 指标 / Should return RabbitMQ metrics常见错误及解决方案 / Common Errors and Solutions
| 错误信息 / Error Message | 原因 / Cause | 解决方案 / Solution |
|---|---|---|
x509: certificate signed by unknown authority | 缺少 CA 证书 / Missing CA certificate | 设置 CA_CERT_FILE 环境变量 |
connection refused | 错误的端口或协议 / Wrong port or protocol | 确认使用 https:// 和 15671 端口 |
permission denied | 证书文件权限问题 / Certificate file permission issue | 确保文件可读 / Ensure files are readable |
6. 集群监控配置 / Cluster Monitoring Configuration
单节点监控 (推荐) / Single Node Monitoring (Recommended)
environment:- RABBIT_URL=https://rabbitmq-loadbalancer:15671多节点监控 / Multi-Node Monitoring
# 为每个节点配置单独的 job
# Configure separate jobs for each node
scrape_configs:- job_name: 'rabbitmq-node1' static_configs: - targets: ['exporter-node1:9419']- job_name: 'rabbitmq-node2' static_configs: - targets: ['exporter-node2:9419']7. 安全最佳实践 / Security Best Practices
使用专用监控账户 / Use dedicated monitoring account
定期轮换证书 / Rotate certificates regularly
限制网络访问 / Restrict network access
使用强密码 / Use strong passwords
在生产环境禁用 SKIP_VERIFY / Disable SKIP_VERIFY in production
按照以上步骤配置,即可成功监控启用 TLS 的 RabbitMQ 集群。 By following these steps, you can successfully monitor a TLS-enabled RabbitMQ cluster.