Security Setup
This guide covers securing rabbitmq-backup connections and credentials. Topics include TLS for AMQP and Stream Protocol, HTTPS for the Management API, client certificate authentication, and safe credential management.
TLS for AMQP (AMQPS)
RabbitMQ Server Configuration
Ensure your RabbitMQ broker is configured for TLS. In rabbitmq.conf:
listeners.ssl.default = 5671
ssl_options.cacertfile = /path/to/ca_certificate.pem
ssl_options.certfile = /path/to/server_certificate.pem
ssl_options.keyfile = /path/to/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
rabbitmq-backup TLS Configuration
Use the amqps:// scheme in the connection URL and configure TLS options:
source:
amqp_url: "amqps://backup_user:password@rabbitmq.example.com:5671/%2f"
management_url: "https://rabbitmq.example.com:15671"
management_username: backup_user
management_password: password
tls:
enabled: true
ca_cert: /path/to/ca_certificate.pem
TLS Configuration Fields
| Field | Required | Description |
|---|---|---|
tls.enabled | No | Enable TLS (default: false) |
tls.ca_cert | No | Path to CA certificate PEM file for server verification |
tls.client_cert | No | Path to client certificate PEM file (for mutual TLS) |
tls.client_key | No | Path to client private key PEM file (for mutual TLS) |
Client Certificate Authentication (Mutual TLS)
For environments that require mutual TLS (mTLS), provide both client and CA certificates:
source:
amqp_url: "amqps://rabbitmq.example.com:5671/%2f"
management_url: "https://rabbitmq.example.com:15671"
management_username: backup_user
management_password: password
tls:
enabled: true
ca_cert: /certs/ca.pem
client_cert: /certs/client.pem
client_key: /certs/client-key.pem
Generate a client certificate signed by your CA:
# Generate client key
openssl genrsa -out client-key.pem 2048
# Generate CSR
openssl req -new -key client-key.pem -out client.csr \
-subj "/CN=rabbitmq-backup/O=MyOrg"
# Sign with CA
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out client.pem -days 365
Update the RabbitMQ server to require client certificates:
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
Management API over HTTPS
When the RabbitMQ Management Plugin is configured for HTTPS (port 15671), use the https:// scheme:
source:
management_url: "https://rabbitmq.example.com:15671"
management_username: backup_user
management_password: password
The tool uses the system's trusted CA store by default. If you use a private CA, set the ca_cert in the TLS configuration -- it applies to both AMQP and HTTP connections.
Credential Management
Environment Variable Interpolation
The configuration file supports ${ENV_VAR} interpolation for sensitive values. Keep credentials out of config files:
source:
amqp_url: "amqps://backup_user:${RABBITMQ_PASSWORD}@rabbitmq.example.com:5671/%2f"
management_url: "https://rabbitmq.example.com:15671"
management_username: backup_user
management_password: "${RABBITMQ_PASSWORD}"
storage:
backend: s3
bucket: rabbitmq-backups
region: us-east-1
# access_key and secret_key read from AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
export RABBITMQ_PASSWORD=secret123
export AWS_ACCESS_KEY_ID=AKIAEXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMIEXAMPLEKEY
rabbitmq-backup backup --config backup-secure.yaml
Environment Variables for Storage Credentials
Each storage backend reads credentials from standard environment variables:
| Backend | Environment Variables |
|---|---|
| S3 | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY |
| Azure | AZURE_STORAGE_KEY, AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_STORAGE_SAS_TOKEN |
| GCS | GOOGLE_APPLICATION_CREDENTIALS |
Kubernetes Secrets
In Kubernetes deployments, mount credentials as Secrets:
envFrom:
- secretRef:
name: rabbitmq-backup-credentials
See the Kubernetes deployment guide for full examples.
Systemd Credential Isolation
For systemd services, use LoadCredential or SetCredential instead of environment variables in the unit file:
[Service]
LoadCredential=rabbitmq-password:/etc/rabbitmq-backup/secrets/password
Environment=RABBITMQ_PASSWORD=%d/rabbitmq-password
Dedicated Backup User
Create a dedicated RabbitMQ user with minimal permissions:
# Create user
rabbitmqctl add_user backup_user strong-password-here
# Grant read access to all queues (needed for backup)
rabbitmqctl set_permissions -p / backup_user ".*" "" ".*"
# Grant monitoring tag (needed for Management API access)
rabbitmqctl set_user_tags backup_user monitoring
The monitoring tag provides read-only Management API access, which is sufficient for definitions export and queue discovery.
For restore operations, the user also needs write and configure permissions:
rabbitmqctl set_permissions -p / restore_user ".*" ".*" ".*"
rabbitmqctl set_user_tags restore_user management
File Permissions
Protect configuration and certificate files:
# Config file: readable only by the backup user
chmod 600 /etc/rabbitmq-backup/backup.yaml
chown rabbitmq-backup:rabbitmq-backup /etc/rabbitmq-backup/backup.yaml
# Certificate files
chmod 600 /certs/client-key.pem
chown rabbitmq-backup:rabbitmq-backup /certs/*.pem
Stream Protocol TLS
The Stream Protocol (port 5552) uses the same TLS configuration as AMQP. When tls.enabled is true, the stream client connects over TLS to port 5551 (default TLS stream port) using the same CA and client certificates.
source:
amqp_url: "amqps://backup_user:password@rabbitmq.example.com:5671/%2f"
stream_port: 5551 # TLS stream port
tls:
enabled: true
ca_cert: /certs/ca.pem
client_cert: /certs/client.pem
client_key: /certs/client-key.pem