深入解析:RabbitMQ-Exporter 监控 TLS 加密的 RabbitMQ 集群

以下是详细的配置步骤指南: Here is the detailed configuration guide:

1. 确认 RabbitMQ Management Plugin 的 TLS 配置

  1. Verify RabbitMQ Management Plugin TLS Configuration

RabbitMQ 配置文件示例 (/etc/rabbitmq/rabbitmq.conf):RabbitMQ Configuration File Example (/etc/rabbitmq/rabbitmq.conf):

# 启用管理插件的 HTTPS 端口
# Enable Management Plugin HTTPS port
management.ssl.port = 15671
​
# 指定证书路径
# Specify certificate paths
management.ssl.cacertfile = /path/to/ca_certificate.pem
management.ssl.certfile   = /path/to/server_certificate.pem
management.ssl.keyfile    = /path/to/server_key.pem
​
# 证书验证设置
# Certificate verification settings
management.ssl.verify     = verify_peer
management.ssl.fail_if_no_peer_cert = false

验证 HTTPS 接口是否正常工作:Verify if HTTPS interface works properly:

curl -k -u : https://:15671/api/overview

2. 配置 RabbitMQ-Exporter 连接 TLS 加密的 RabbitMQ

  1. Configure RabbitMQ-Exporter to Connect to TLS-encrypted RabbitMQ

方案 A: 使用 Docker Compose (推荐)

Solution A: Using Docker Compose (Recommended)

version: '3.8'
services:
  rabbitmq-exporter:
    image: kbudde/rabbitmq-exporter
    container_name: rabbitmq-exporter
    restart: unless-stopped
    ports:
      - "9419:9419"
    environment:
      # RabbitMQ 连接信息 - 使用 HTTPS
      # RabbitMQ Connection Info - Use HTTPS
      - RABBIT_URL=https://rabbitmq-server:15671
      - RABBIT_USER=monitor_user
      - RABBIT_PASSWORD=your_password
      # TLS 配置选项
      # TLS Configuration Options
      - SKIP_VERIFY=false                    # 生产环境设为 false
      - CA_CERT_FILE=/certs/ca_cert.pem      # CA 证书路径
      # Exporter 配置
      # Exporter Configuration
      - PUBLISH_PORT=9419
      - OUTPUT_FORMAT=JSON
    volumes:
      # 挂载证书文件
      # Mount certificate files
      - ./tls/ca_cert.pem:/certs/ca_cert.pem:ro

方案 B: 二进制文件直接运行

Solution B: Direct Binary Execution

./rabbitmq-exporter \
  --rabbit.url="https://rabbitmq-host:15671" \
  --rabbit.user="monitor_user" \
  --rabbit.password="password" \
  --ca-cert-file="/path/to/ca_certificate.pem" \
  --skip-verify=false \
  --publish-addr=":9419"

3. 环境变量详解 / Environment Variables Explained

环境变量 / Environment Variable说明 / Description示例值 / Example Value
RABBIT_URL必须使用 HTTPS / Must use HTTPShttps://host:15671
SKIP_VERIFY跳过证书验证 (测试用) / Skip certificate verification (for testing)false (生产/production)
CA_CERT_FILECA 证书文件路径 / CA certificate file path/certs/ca.pem
CLIENT_CERT_FILE客户端证书 (双向 TLS) / Client certificate (mutual TLS)/certs/client.pem
CLIENT_KEY_FILE客户端密钥 / Client private key/certs/client-key.pem
PUBLISH_PORTExporter 服务端口 / Exporter service port9419

4. Prometheus 配置 / Prometheus Configuration

scrape_configs:
  - job_name: 'rabbitmq-cluster-tls'
    static_configs:
      - targets: ['rabbitmq-exporter:9419']
    metrics_path: '/metrics'
    labels:
      cluster: 'rabbitmq-tls-cluster'
      environment: 'production'

5. 故障排查指南 / Troubleshooting Guide

检查 Exporter 日志 / Check Exporter Logs

docker logs rabbitmq-exporter
# 查找错误信息 / Look for error messages

测试指标端点 / Test Metrics Endpoint

curl http://localhost:9419/metrics
# 应该返回 RabbitMQ 指标 / Should return RabbitMQ metrics

常见错误及解决方案 / Common Errors and Solutions

错误信息 / Error Message原因 / Cause解决方案 / Solution
x509: certificate signed by unknown authority缺少 CA 证书 / Missing CA certificate设置 CA_CERT_FILE 环境变量
connection refused错误的端口或协议 / Wrong port or protocol确认使用 https://15671 端口
permission denied证书文件权限问题 / Certificate file permission issue确保文件可读 / Ensure files are readable

6. 集群监控配置 / Cluster Monitoring Configuration

单节点监控 (推荐) / Single Node Monitoring (Recommended)

environment:
  - RABBIT_URL=https://rabbitmq-loadbalancer:15671

多节点监控 / Multi-Node Monitoring

# 为每个节点配置单独的 job
# Configure separate jobs for each node
scrape_configs:
  - job_name: 'rabbitmq-node1'
    static_configs:
      - targets: ['exporter-node1:9419']
  - job_name: 'rabbitmq-node2'
    static_configs:
      - targets: ['exporter-node2:9419']

7. 安全最佳实践 / Security Best Practices

  1. 使用专用监控账户 / Use dedicated monitoring account

  2. 定期轮换证书 / Rotate certificates regularly

  3. 限制网络访问 / Restrict network access

  4. 使用强密码 / Use strong passwords

  5. 在生产环境禁用 SKIP_VERIFY / Disable SKIP_VERIFY in production

按照以上步骤配置,即可成功监控启用 TLS 的 RabbitMQ 集群。 By following these steps, you can successfully monitor a TLS-enabled RabbitMQ cluster.

posted @ 2025-12-13 12:20  yangykaifa  阅读(4)  评论(0)    收藏  举报