Rabbitmq 配置文件¶
rabbitmq.conf¶
This example configuration file demonstrates various settings available via rabbitmq.conf. It primarily focuses core broker settings but some tier 1 plugin settings are also covered.
This file is AN EXAMPLE. It is NOT MEANT TO BE USED IN PRODUCTION. Instead of copying the entire (large!) file, create or generate a new rabbitmq.conf for the target system and populate it with the necessary settings.
See https://www.rabbitmq.com/docs/configure to learn about how to configure RabbitMQ, the ini-style format used by rabbitmq.conf, how it is different from advanced.config, how to verify effective configuration, and so on.
See https://www.rabbitmq.com/docs/documentation for the rest of RabbitMQ documentation.
In case you have questions, please use rabbitmq/rabbitmq-server Discussions and the RabbitMQ community Discord server for questions.
Core broker section¶
Networking¶
Related doc guide: https://www.rabbitmq.com/docs/networking. By default, RabbitMQ will listen on all interfaces, using the standard (reserved) AMQP 0-9-1 and 1.0 port.
To listen on a specific interface, provide an IP address with port. For example, to listen only on localhost for both IPv4 and IPv6:
IPv4
You can define multiple listeners using listener names
TLS listeners are configured in the same fashion as TCP listeners, including the option to control the choice of interface.
It is possible to disable regular TCP (non-TLS) listeners. Clients not configured to use TLS and the correct TLS-enabled port won't be able to connect to this node.
Number of Erlang processes that will accept connections for the TCP and TLS listeners.
Socket writer will force GC every so many bytes transferred. Default is 1 GiB (1000000000). Set to 'off' to disable.
To disable:
Maximum amount of time allowed for the AMQP 0-9-1 and AMQP 1.0 handshake (performed after socket connection and TLS handshake) to complete, in milliseconds.
Set to 'true' to perform reverse DNS lookups when accepting a connection. rabbitmqctl and management UI will then display hostnames instead of IP addresses. Default value is false.
Security, Access Control¶
Related doc guide: https://www.rabbitmq.com/docs/access-control.
The default "guest" user is only permitted to access the server via a loopback interface (e.g. localhost). {loopback_users, [<<"guest">>]},
Uncomment the following line if you want to allow access to the guest user from anywhere on the network.
TLS configuration¶
Related doc guide: https://www.rabbitmq.com/docs/ssl.
# listeners.ssl.1 = 5671
# ssl_options.verify = verify_peer
# ssl_options.fail_if_no_peer_cert = false
# ssl_options.cacertfile = /path/to/cacert.pem
# ssl_options.certfile = /path/to/cert.pem
# ssl_options.keyfile = /path/to/key.pem
#
# ssl_options.honor_cipher_order = true
# ssl_options.honor_ecc_order = true
These are highly recommended for TLSv1.2 but cannot be used with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed.
Limits what TLS versions the server enables for client TLS connections. See https://www.rabbitmq.com/docs/ssl#tls-versions for details.
Cutting edge TLS version which requires recent client runtime versions and has no cipher suite in common with earlier TLS versions.
Enables TLSv1.2 for best compatibility
Older TLS versions have known vulnerabilities and are being phased out from wide use.
Limits what cipher suites the server will use for client TLS connections. Narrowing this down can prevent some clients from connecting. If TLSv1.3 is enabled and cipher suites are overridden, TLSv1.3-specific cipher suites must also be explicitly enabled.
See https://www.rabbitmq.com/docs/ssl#cipher-suites and https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites for details.
The example below uses TLSv1.3 cipher suites only
# ssl_options.ciphers.1 = TLS_AES_256_GCM_SHA384
# ssl_options.ciphers.2 = TLS_AES_128_GCM_SHA256
# ssl_options.ciphers.3 = TLS_CHACHA20_POLY1305_SHA256
# ssl_options.ciphers.4 = TLS_AES_128_CCM_SHA256
# ssl_options.ciphers.5 = TLS_AES_128_CCM_8_SHA256
The example below uses TLSv1.2 cipher suites only
# ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
# ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
# ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
# ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
# ssl_options.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384
# ssl_options.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384
# ssl_options.ciphers.7 = ECDH-ECDSA-AES256-SHA384
# ssl_options.ciphers.8 = ECDH-RSA-AES256-SHA384
# ssl_options.ciphers.9 = DHE-RSA-AES256-GCM-SHA384
# ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
# ssl_options.ciphers.11 = DHE-RSA-AES256-SHA256
# ssl_options.ciphers.12 = DHE-DSS-AES256-SHA256
# ssl_options.ciphers.13 = ECDHE-ECDSA-AES128-GCM-SHA256
# ssl_options.ciphers.14 = ECDHE-RSA-AES128-GCM-SHA256
# ssl_options.ciphers.15 = ECDHE-ECDSA-AES128-SHA256
# ssl_options.ciphers.16 = ECDHE-RSA-AES128-SHA256
# ssl_options.ciphers.17 = ECDH-ECDSA-AES128-GCM-SHA256
# ssl_options.ciphers.18 = ECDH-RSA-AES128-GCM-SHA256
# ssl_options.ciphers.19 = ECDH-ECDSA-AES128-SHA256
# ssl_options.ciphers.20 = ECDH-RSA-AES128-SHA256
# ssl_options.ciphers.21 = DHE-RSA-AES128-GCM-SHA256
# ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
# ssl_options.ciphers.23 = DHE-RSA-AES128-SHA256
# ssl_options.ciphers.24 = DHE-DSS-AES128-SHA256
# ssl_options.ciphers.25 = ECDHE-ECDSA-AES256-SHA
# ssl_options.ciphers.26 = ECDHE-RSA-AES256-SHA
# ssl_options.ciphers.27 = DHE-RSA-AES256-SHA
# ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
# ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
# ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
# ssl_options.ciphers.31 = ECDHE-ECDSA-AES128-SHA
# ssl_options.ciphers.32 = ECDHE-RSA-AES128-SHA
# ssl_options.ciphers.33 = DHE-RSA-AES128-SHA
# ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
# ssl_options.ciphers.35 = ECDH-ECDSA-AES128-SHA
# ssl_options.ciphers.36 = ECDH-RSA-AES128-SHA
# ssl_options.bypass_pem_cache = true
Select an authentication/authorisation backend to use. Alternative backends are provided by plugins, such as rabbitmq-auth-backend-ldap. NB: These settings require certain plugins to be enabled.
Related doc guides:
uses separate backends for authentication and authorisation, see below.
# auth_backends.1.authn = rabbit_auth_backend_ldap
# auth_backends.1.authz = rabbit_auth_backend_internal
The rabbitmq_auth_backend_ldap plugin allows the broker to perform authentication and authorisation by deferring to an external LDAP server.
Relevant doc guides:
uses LDAP for both authentication and authorisation
uses HTTP service for both authentication and authorisation
uses two backends in a chain: HTTP first, then internal
Authentication¶
The built-in mechanisms are 'PLAIN', 'AMQPLAIN', and 'EXTERNAL' Additional mechanisms can be added via plugins.
Related doc guide: https://www.rabbitmq.com/docs/authentication.
The rabbitmq-auth-mechanism-ssl plugin makes it possible to authenticate a user based on the client's x509 (TLS) certificate. Related doc guide: https://www.rabbitmq.com/docs/authentication.
To use auth-mechanism-ssl, the EXTERNAL mechanism should be enabled:
To force x509 certificate-based authentication on all clients, exclude all other mechanisms (note: this will disable password-based authentication even for the management UI!):
This pertains to both the rabbitmq-auth-mechanism-ssl plugin and STOMP ssl_cert_login configurations. See the RabbitMQ STOMP plugin configuration section later in this file and the README in https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further details.
To use the TLS cert's CN instead of its DN as the username
TLS handshake timeout, in milliseconds.
Loading Definitions¶
Relevant documentation: https://www.rabbitmq.com/docs/definitions#import-on-boot To import definitions from a local file on node boot, set the load_definitions config key to a path of a previously exported JSON file with definitions. Does not require management plugin to be enabled.
Password hashing implementation. Will only affect newly created users. To recalculate hash for an existing user it's necessary to update her password. To use SHA-512, set to rabbit_password_hashing_sha512.
When importing definitions exported from versions earlier than 3.6.0, it is possible to go back to MD5 (only do this as a temporary measure!) by setting this to rabbit_password_hashing_md5.
Default User / VHost¶
On first start RabbitMQ will create a vhost and a user. These config items control what gets created. Relevant doc guide: https://www.rabbitmq.com/docs/access-control
# default_vhost = /
# default_user = guest
# default_pass = guest
# default_permissions.configure = .*
# default_permissions.read = .*
# default_permissions.write = .*
Tags for default user
For more details about tags, see the documentation for the Management Plugin at https://www.rabbitmq.com/docs/management.
Define other tags like this:
Additional network and protocol related configuration¶
Set the server AMQP 0-9-1 heartbeat timeout in seconds. RabbitMQ nodes will send heartbeat frames at roughly the (timeout / 2) interval. Two missed heartbeats from a client will close its connection.
Values lower than 6 seconds are very likely to produce false positives and are not recommended.
Related doc guides:
Set the max permissible size of an AMQP frame (in bytes).
Set the max frame size the server will accept before connection tuning occurs
Set the max permissible number of channels per connection. 0 means "no limit".
Customising TCP Listener (Socket) Configuration.
Related doc guides:
# tcp_listen_options.backlog = 128
# tcp_listen_options.nodelay = true
# tcp_listen_options.exit_on_close = false
#
# tcp_listen_options.keepalive = true
# tcp_listen_options.send_timeout = 15000
#
# tcp_listen_options.buffer = 196608
# tcp_listen_options.sndbuf = 196608
# tcp_listen_options.recbuf = 196608
Queues¶
If set, the 'x-queue-type' header will be ignored (not compared for equivalence) for queue redeclaration. This can simplify upgrades of applications that explicitly set 'x-queue-type' to 'classic' for historical reasons but do not set any other properties that may conflict or significantly change queue behavior and semantics, such as the 'exclusive' field.
Sets the initial quorum queue replica count for newly declared quorum queues. This value can be overridden using the 'x-quorum-initial-group-size' queue argument at declaration time.
Sets the maximum number of unconfirmed messages a channel can send before publisher flow control is triggered. The current default is configured to provide good performance and stability when there are multiple publishers sending to the same quorum queue.
Changes classic queue storage implementation version. In 4.0.x, version 2 is the default and this is a forward compatibility setting, that is, it will be useful when a new version is developed.
Resource Limits & Flow Control¶
Related doc guide: https://www.rabbitmq.com/docs/memory.
Memory-based Flow Control threshold.
Alternatively, we can set a limit (in bytes) of RAM used by the node.
Or you can set absolute value using memory units (with RabbitMQ 3.6.0+). Absolute watermark will be ignored if relative is defined!
Supported unit symbols:
## k, kiB: kibibytes (2^10 - 1,024 bytes)
## M, MiB: mebibytes (2^20 - 1,048,576 bytes)
## G, GiB: gibibytes (2^30 - 1,073,741,824 bytes)
## kB: kilobytes (10^3 - 1,000 bytes)
## MB: megabytes (10^6 - 1,000,000 bytes)
## GB: gigabytes (10^9 - 1,000,000,000 bytes)
Selects Erlang VM memory consumption calculation strategy. Can be allocated, rss or legacy (aliased as erlang), Introduced in 3.6.11. rss is the default as of 3.6.12. See https://github.com/rabbitmq/rabbitmq-server/issues/1223 and rabbitmq/rabbitmq-common#224 for background.
The total memory available can be calculated from the OS resources - default option - or provided as a configuration parameter.
Set disk free limit (in bytes). Once free disk space reaches this lower bound, a disk alarm will be set - see the documentation listed above for more details.
Absolute watermark will be ignored if relative is defined!
Or you can set it using memory units (same as in vm_memory_high_watermark) with RabbitMQ 3.6.0+.
# disk_free_limit.absolute = 500KB
# disk_free_limit.absolute = 50mb
# disk_free_limit.absolute = 5GB
Alternatively, we can set a limit relative to total available RAM. Values lower than 1.0 can be dangerous and should be used carefully.
Clustering¶
By default cluster name is set to the name of the first node to have formed the cluster. It can be overridden to make it easier for (human) operators to tell one cluster from another.
Optional key-value pairs that tag (label) the cluster. They will be reported by CLI tools, by the HTTP API at 'GET /api/overview', and potentially in other contexts.
# cluster_tags.region = us-east-1
# cluster_tags.zone = us-east-1d
# cluster_tags.project = an-iot-thing
# cluster_tags.role = mqtt-ingress
# cluster_tags.environment = staging
A similar set of key-value pairs can be used to tag (label) the specific node that will use this configuration file.
# node_tags.uuid = '88CD083F-E211-479B-814A-6DA42FE78AF3'
# node_tags.role = mqtt-ingress
# node_tags.environment = staging
Selects the default strategy used to pick a node to place a new queue leader replica on. Can be overridden by the x-queue-leader-locator optional queue argument at declaration time.
"balanced" (the default) is recommended for most environments. It works like so:
- When there are many queues in the cluster, the candidate node is picked randomly
- When there are few queues, uses their current replica count to pick the node with the smallest number of replicas.
Supported non-deprecated values are: "balanced", "client-local"
Partition handling strategy¶
Primarily affects deployments that use Mnesia and classic queues. Khepri and quorum queues, streams will always use Raft's failure recovery strategy.
Pauses all nodes on the minority side of a partition. The cluster MUST have an odd number of nodes (3, 5, etc)
pause_if_all_down strategy require additional configuration
Recover strategy. Can be either 'autoheal' or 'ignore'
Node names to check¶
# cluster_partition_handling.pause_if_all_down.nodes.1 = rabbit@localhost
# cluster_partition_handling.pause_if_all_down.nodes.2 = hare@localhost
Make clustering happen automatically at startup. Only applied to nodes that have just been reset or started for the first time.
Relevant doc guide: https://www.rabbitmq.com/docs//cluster-formation
# cluster_formation.peer_discovery_backend = rabbit_peer_discovery_classic_config
#
# cluster_formation.classic_config.nodes.1 = rabbit1@hostname
# cluster_formation.classic_config.nodes.2 = rabbit2@hostname
# cluster_formation.classic_config.nodes.3 = rabbit3@hostname
# cluster_formation.classic_config.nodes.4 = rabbit4@hostname
DNS-based peer discovery. This backend will list A records of the configured hostname and perform reverse lookups for the addresses returned.
# cluster_formation.peer_discovery_backend = rabbit_peer_discovery_dns
# cluster_formation.dns.hostname = discovery.eng.example.local
This node's type can be configured. If you are not sure what node type to use, always use 'disc'.
Interval (in milliseconds) at which we send keepalive messages to other cluster members. Note that this is not the same thing as net_ticktime; missed keepalive messages will not cause nodes to be considered down.
Statistics Collection¶
Statistics collection interval (in milliseconds). Increasing this will reduce the load on management database.
Fine vs. coarse statistics This value is no longer meant to be configured directly.
See https://www.rabbitmq.com/docs/management#fine-stats.
Raft settings¶
These set the defaults that quorum queues, streams, Khepri, and other Raft-based features use.
# raft.segment_max_entries = 65536
# raft.wal_max_size_bytes = 1048576
# raft.wal_max_batch_size = 4096
# raft.snapshot_chunk_size = 1000000
Misc and Advanced Options¶
NB: Change these only if you understand what you are doing!
To permit or deny a deprecated feature when it is in its permitted_by_default or denied_by_default deprecation phase, the default state can be overriden from the configuration.
When a deprecated feature is permitted by default (first phase of the deprecation period), it means the feature is available by default and can be turned off by setting it to false in the configuration.
When a deprecated feature is denied by default (second phase of the deprecation period), it means the feature is unavailable by default but can be turned back on by setting it to true in the configuration.
When a deprecated feature is "disconnected" or "removed" (last two phases of the deprecation period), it is no longer possible to turn it back on from the configuration.
# deprecated_features.permit.a_deprecated_feature = true
# deprecated_features.permit.another_deprecated_feature = false
Timeout used when waiting for Mnesia tables in a cluster to become available.
Related doc guide: https://www.rabbitmq.com/docs/clustering#restarting
Retries when waiting for Mnesia tables in the cluster startup. Note that this setting is not applied to Mnesia upgrades or node deletions.
Related doc guide: https://www.rabbitmq.com/docs/clustering#restarting
Size in bytes below which to embed messages in the queue index. Related doc guide: https://www.rabbitmq.com/docs/persistence-conf
You can also set this size in memory units
Whether or not to enable background periodic forced GC runs for all Erlang processes on the node in "waiting" state.
Disabling background GC may reduce latency for client operations, keeping it enabled may reduce median RAM usage by the binary heap (see https://www.erlang-solutions.com/blog/erlang-garbage-collector.html).
Before trying this option, please take a look at the memory breakdown (https://www.rabbitmq.com/docs/memory-use).
Target (desired) interval (in milliseconds) at which we run background GC. The actual interval will vary depending on how long it takes to execute the operation (can be higher than this interval). Values less than 30000 milliseconds are not recommended.
Whether or not to enable proxy protocol support. Once enabled, clients cannot directly connect to the broker anymore. They must connect through a load balancer that sends the proxy protocol header to the broker at connection time. This setting applies only to AMQP clients, other protocols like MQTT or STOMP have their own setting to enable proxy protocol. See the plugins documentation for more information.
Overriden product name and version. They are set to "RabbitMQ" and the release version by default.
"Message of the day" file. Its content is used to expand the logged and printed banners. Default to /etc/rabbitmq/motd on Unix, %APPDATA%\RabbitMQ\motd.txt on Windows.
Consumer timeout If a message delivered to a consumer has not been acknowledge before this timer triggers the channel will be force closed by the broker. This ensure that faultly consumers that never ack will not hold on to messages indefinitely.
Advanced Erlang Networking/Clustering Options¶
Related doc guide: https://www.rabbitmq.com/docs/clustering
Kernel section¶
Timeout used to detect peer unavailability, including CLI tools. Related doc guide: https://www.rabbitmq.com/docs/nettick.
Inter-node communication port range. The parameters inet_dist_listen_min and inet_dist_listen_max can be configured in the classic config format only.
Related doc guide: https://www.rabbitmq.com/docs/networking#epmd-inet-dist-port-range.
RabbitMQ Management Plugin¶
Related doc guide: https://www.rabbitmq.com/docs/management.
Management section¶
Preload schema definitions from the following JSON file. Related doc guide: https://www.rabbitmq.com/docs/management#load-definitions.
Log all requests to the management HTTP API to a file.
Limits maximum accepted HTTP request body size to 500 KiB. The default is 20 MiB.
HTTP listener and embedded Web server settings. See https://www.rabbitmq.com/docs/management for details.
# management.tcp.port = 15672
# management.tcp.ip = 0.0.0.0
#
# management.tcp.shutdown_timeout = 7000
# management.tcp.max_keepalive = 120
# management.tcp.idle_timeout = 120
# management.tcp.inactivity_timeout = 120
# management.tcp.request_timeout = 120
# management.tcp.compress = true
HTTPS listener settings. See https://www.rabbitmq.com/docs/management and https://www.rabbitmq.com/docs/ssl for details.
# management.ssl.port = 15671
# management.ssl.cacertfile = /path/to/ca_certificate.pem
# management.ssl.certfile = /path/to/server_certificate.pem
# management.ssl.keyfile = /path/to/server_key.pem
More TLS options¶
These are highly recommended for TLSv1.2 but cannot be used with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed.
Supported TLS versions
Cipher suites the server is allowed to use
# management.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
# management.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
# management.ssl.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
# management.ssl.ciphers.4 = ECDHE-RSA-AES256-SHA384
# management.ssl.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384
# management.ssl.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384
# management.ssl.ciphers.7 = ECDH-ECDSA-AES256-SHA384
# management.ssl.ciphers.8 = ECDH-RSA-AES256-SHA384
# management.ssl.ciphers.9 = DHE-RSA-AES256-GCM-SHA384
URL path prefix for HTTP API and management UI management.path_prefix = /a-prefix
One of 'basic', 'detailed' or 'none'. See https://www.rabbitmq.com/docs/management#fine-stats for more details.
Configure how long aggregated data (such as message rates and queue lengths) is retained. Please read the plugin's documentation in https://www.rabbitmq.com/docs/management#configuration for more details. Your can use 'minute', 'hour' and 'day' keys or integer key (in seconds)
# management.sample_retention_policies.global.minute = 5
# management.sample_retention_policies.global.hour = 60
# management.sample_retention_policies.global.day = 1200
# management.sample_retention_policies.basic.minute = 5
# management.sample_retention_policies.basic.hour = 60
# management.sample_retention_policies.detailed.10 = 5
RabbitMQ Shovel Plugin¶
Related doc guide: https://www.rabbitmq.com/docs/shovel
See advanced.config.example for a Shovel plugin example
RabbitMQ STOMP Plugin¶
Related doc guide: https://www.rabbitmq.com/docs/stomp
STOMP section¶
See https://www.rabbitmq.com/docs/stomp for details.
TCP listeners¶
TCP listener settings
# stomp.tcp_listen_options.backlog = 2048
# stomp.tcp_listen_options.recbuf = 131072
# stomp.tcp_listen_options.sndbuf = 131072
#
# stomp.tcp_listen_options.keepalive = true
# stomp.tcp_listen_options.nodelay = true
#
# stomp.tcp_listen_options.exit_on_close = true
# stomp.tcp_listen_options.send_timeout = 120000
Proxy protocol support
TLS listeners See https://www.rabbitmq.com/docs/stomp and https://www.rabbitmq.com/docs/ssl for details. stomp.listeners.ssl.default = 61614
# ssl_options.cacertfile = path/to/cacert.pem
# ssl_options.certfile = path/to/cert.pem
# ssl_options.keyfile = path/to/key.pem
# ssl_options.verify = verify_peer
# ssl_options.fail_if_no_peer_cert = true
Number of Erlang processes that will accept connections for the TCP and TLS listeners.
Additional TLS options¶
Extract a name from the client's certificate when using TLS.
Set a default user name and password. This is used as the default login whenever a CONNECT frame omits the login and passcode headers.
Please note that setting this will allow clients to connect without authenticating!
If a default user is configured, or you have configured use TLS client certificate based authentication, you can choose to allow clients to omit the CONNECT frame entirely. If set to true, the client is automatically connected as the default user or user supplied in the
TLS certificate whenever the first frame sent on a session is not a CONNECT frame.
Whether or not to enable proxy protocol support. Once enabled, clients cannot directly connect to the broker anymore. They must connect through a load balancer that sends the proxy protocol header to the broker at connection time. This setting applies only to STOMP clients, other protocols like MQTT or AMQP have their own setting to enable proxy protocol.
See the plugins or broker documentation for more information.
RabbitMQ MQTT Adapter¶
See https://github.com/rabbitmq/rabbitmq-mqtt/blob/stable/README.md for details
MQTT section¶
TCP listener settings.
TCP listener options (as per the broker configuration).
# mqtt.tcp_listen_options.backlog = 4096
# mqtt.tcp_listen_options.recbuf = 131072
# mqtt.tcp_listen_options.sndbuf = 131072
#
# mqtt.tcp_listen_options.keepalive = true
# mqtt.tcp_listen_options.nodelay = true
#
# mqtt.tcp_listen_options.exit_on_close = true
# mqtt.tcp_listen_options.send_timeout = 120000
TLS listener settings See https://www.rabbitmq.com/docs/mqtt and https://www.rabbitmq.com/docs/ssl for details.
# mqtt.listeners.ssl.default = 8883
# ssl_options.cacertfile = /path/to/tls/ca_certificate_bundle.pem
# ssl_options.certfile = /path/to/tls/server_certificate.pem
# ssl_options.keyfile = /path/to/tls/server_key.pem
# ssl_options.verify = verify_peer
# ssl_options.fail_if_no_peer_cert = true
#
Number of Erlang processes that will accept connections for the TCP and TLS listeners.
Whether or not to enable proxy protocol support. Once enabled, clients cannot directly connect to the broker anymore. They must connect through a load balancer that sends the proxy protocol header to the broker at connection time. This setting applies only to STOMP clients, other protocols like STOMP or AMQP have their own setting to enable proxy protocol. See the plugins or broker documentation for more information.
Enable anonymous connections. If this is set to false, clients MUST provide credentials in order to connect. See also the anonymous_login_user/anonymous_login_pass keys. Anonymous connections are highly discouraged!
If you have multiple vhosts, specify the one to which the adapter connects.
Specify the exchange to which messages from MQTT clients are published.
Define the maximum Session Expiry Interval in seconds allowed by the server. 'infinity' means the session does not expire. An MQTT 5.0 client can choose a lower value.
Set the prefetch count (governing the maximum number of unacknowledged messages that will be delivered).
Sets the durable queue type to be used for QoS 1 subscriptions.
Supported types are:
- classic
- quorum
IMPORTANT: changing this setting requires all existing queues used by the MQTT plugin to be DELETED or clients will fail to subscribe.
So this setting should be used for new clusters.
Logging settings¶
See https://www.rabbitmq.com/docs/logging for details.
Log directory, taken from the RABBITMQ_LOG_BASE env variable by default.
Logging to file. Can be false or a filename. Default:
To disable logging to a file
Log level for file logging
File rotation config. No rotation by default. DO NOT SET rotation date to ''. Leave the value unset if "" is the desired value
Logging to console (can be true or false)
Log level for console logging
Logging to the amq.rabbitmq.log exchange (can be true or false)
Log level to use when logging to the amq.rabbitmq.log exchange
File size-based log rotation¶
Note that log.file.rotation.size cannot be combined with log.file.rotation.date, the two options are mutually exclusive.
rotate when the file reaches 10 MiB
keep up to 5 archived log files in addition to the current one
compress the archived logs
Date-based log rotation¶
Note that log.file.rotation.date cannot be combined with log.file.rotation.size, the two options are mutually exclusive.
rotate every night at midnight
keep up to 5 archived log files in addition to the current one
compress the archived logs
RabbitMQ LDAP Plugin¶
Related doc guide: https://www.rabbitmq.com/docs/ldap.
LDAP section¶
Connecting to the LDAP server(s)¶
Specify servers to bind to. You must set this in order for the plugin to work properly.
You can define multiple servers
Connect to the LDAP server using TLS
Specify the LDAP port to connect to
LDAP connection timeout, in milliseconds or 'infinity'
Or a number
Enable logging of LDAP queries¶
One of
- false (no logging is performed)
- true (verbose logging of the logic used by the plugin)
- network (as true, but additionally logs LDAP network traffic)
Defaults to false.
Also can be true or network
Client TLS settings for LDAP connections
enables TLS for connections to the LDAP server
local filesystem path to a CA certificate bundle file
local filesystem path to a client certificate file
local filesystem path to a client private key file
Sets Server Name Indication for LDAP connections. If an LDAP server host is available via multiple domain names, set this value to the preferred domain name target LDAP server
take wildcards into account when performing hostname verification
enables peer certificate chain verification
disables peer certificate chain verification
if target LDAP server does not present a certificate, should the connection be aborted?
Authentication 2¶
Pattern to convert the username given through AMQP to a DN before binding
Alternatively, you can convert a username to a Distinguished Name via an LDAP lookup after binding. See the documentation for full details.
When converting a username to a dn via a lookup, set these to the name of the attribute that represents the user name, and the base DN for the lookup query.
# auth_ldap.dn_lookup_attribute = userPrincipalName
# auth_ldap.dn_lookup_base = DC=gopivotal,DC=com
Controls how to bind for authorisation queries and also to retrieve the details of users logging in without presenting a password (e.g., SASL EXTERNAL).
One of
as_user: (to bind as the authenticated user - requires a password)anon: (to bind anonymously){UserDN, Password}(to bind with a specified user name and password)
Defaults to 'as_user'.
Or can be more complex:
If user_dn and password defined - other options is ignored.
Too complex section of LDAP¶
Authorisation¶
The LDAP plugin can perform a variety of queries against your LDAP server to determine questions of authorisation.
Related doc guide: https://www.rabbitmq.com/docs/ldap#authorisation.
Following configuration should be defined in advanced.config file DO NOT UNCOMMENT THESE LINES!
Set the query to use when determining vhost access
Set the query to use when determining resource (e.g., queue) access
Set queries to determine which tags a user has