use*_*060 1 security ssl rabbitmq
我在我们正在开发的一款移动应用程序中使用 Rabbit MQ 代理,我对安全方面有点困惑。我们正在使用云托管的rabbitmq,托管平台已经为我们提供了用户名和密码(此后已更改),并且我们正在使用SSL连接,因此不太担心MIM或窃听。
我担心的是任何知道主机和端口的人都可以连接到rabbitmq,因为我们有移动应用程序,我们将rabbitmq用户名和密码存储在设备上(尽管已加密),所以我猜想任何能够物理访问设备并以某种方式解密用户名密码的人可以登录rabbitmq,一旦登录,您几乎可以在rabbitmq上执行任何操作,例如删除队列等。像Rabbitmq这样的MQ如何在移动环境中使用。有没有更好/更安全的使用rabbitmq的方法。
In my experience, it is best to not have your mobile app connect to rabbitmq directly. Use a web server in between the app and RabbitMQ. Have your mobile app connect to your web server via HTTP based API calls. The web server will connect to RabbitMQ, and you won't have to worry about the mobile app having the connection information in it.
There are several advantages of this, on top of the security problem:
creating a connection to RabbitMQ is an expensive operation. It requires a TCP/IP connection. once that connection is open it stays open until you close it. if you open a connection from your mobile app and leave it open, you are reducing the number of available connections to RabbitMQ. if you open and close the connection quickly, you are inducing a lot of extra cost in creating and closing the connections constantly.
with a web server in the middle, you can open a single connection and have it manage multiple mobile devices. the web server will handle the http requests and use the one connection to rabbitmq to push messages to it.
since an HTTP web request is a short-lived connection, you'll be able to handle more users in a short period of time, than you would with direct rabbitmq connections.
this ultimately leads to better scalability as you can add another web server to handle thousands more mobile app instances, while only adding 1 new RabbitMQ connection.
这还允许您在 Web 服务器内部添加中间层逻辑。您可以根据需要添加额外的处理层,而无需更改移动应用程序。更改 Web 服务器代码并根据需要重新部署。
如果您必须在没有中间服务器的情况下执行此操作,那么您可能无法解决所遇到的安全问题。移动设备将包含建立连接所需的信息。