Skip to content

RabbitMQ Configuration and Installation

Firewall Configuration

Inbound Rules

Type Protocol Port Range Sources
All TCP TCP All ports 10.131.43.239, mg-ub-web-001, mg-ub-web-002, mg-ub-web-003, mg-ub-web-004, ProductionConsumers (tag), ProductionWebsocket (tag), Webserver (tag)
SSH TCP 22 Bastion (tag)

Outbound Rules

Type Protocol Port Range Destinations
ICMP ICMP - All IPv4, All IPv6
All TCP TCP All ports All IPv4, All IPv6
All UDP UDP All ports All IPv4, All IPv6

RabbitMQ Installation

These instructions are for installing RabbitMQ 4.0.5 on Ubuntu 24.04. Correct as of 6th January 2025.

Create Server

In Digital Ocean, create a new Droplet, selecting the following options: - Region: London - Datacenter: LON1 - Image: Ubuntu - Version: 24.04 (LTS) x64 - Tags: RabbitMq

All other options are dependent on expected traffic etc. Our current server has: - Droplet Type: Basic - CPU Options: Regular, 8 GB, 4 vCPUs

The droplet does not need additional storage.

Install RabbitMQ 4.0.5 on New Ubuntu 24.04 Server

RabbitMQ is included in standard Debian and Ubuntu repositories. However, the versions included are many releases behind and may provide RabbitMQ versions that are already out of support.

Team RabbitMQ produces their own Debian packages and distributes them using Cloudsmith.

Run the following commands on the newly created server to install RabbitMQ.

Setup RabbitMQ Repository

Instructions based on Installing on Debian and Ubuntu | RabbitMQ

sudo apt-get update -y

sudo apt-get upgrade -y

sudo apt-get install curl gnupg -y

sudo apt-get install apt-transport-https

sudo apt-get install curl gnupg apt-transport-https -y

# Team RabbitMQ's main signing key
curl -1sLf "https://keys.openpgp.org/vks/v1/by-fingerprint/0A9AF2115F4687BD29803A206B73A36E6026DFCA" | sudo gpg --dearmor | sudo tee /usr/share/keyrings/com.rabbitmq.team.gpg > /dev/null

# Community mirror of Cloudsmith: modern Erlang repository
curl -1sLf https://github.com/rabbitmq/signing-keys/releases/download/3.0/cloudsmith.rabbitmq-erlang.E495BB49CC4BBE5B.key | sudo gpg --dearmor | sudo tee /usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg > /dev/null

# Community mirror of Cloudsmith: RabbitMQ repository
curl -1sLf https://github.com/rabbitmq/signing-keys/releases/download/3.0/cloudsmith.rabbitmq-server.9F4587F226208342.key | sudo gpg --dearmor | sudo tee /usr/share/keyrings/rabbitmq.9F4587F226208342.gpg > /dev/null

Add repositories:

sudo tee /etc/apt/sources.list.d/rabbitmq.list <<EOF
## Provides modern Erlang/OTP releases from a Cloudsmith mirror
##
deb [arch=amd64 signed-by=/usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg] https://ppa1.rabbitmq.com/rabbitmq/rabbitmq-erlang/deb/ubuntu noble main
deb-src [signed-by=/usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg] https://ppa1.rabbitmq.com/rabbitmq/rabbitmq-erlang/deb/ubuntu noble main

# another mirror for redundancy
deb [arch=amd64 signed-by=/usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg] https://ppa2.rabbitmq.com/rabbitmq/rabbitmq-erlang/deb/ubuntu noble main
deb-src [signed-by=/usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg] https://ppa2.rabbitmq.com/rabbitmq/rabbitmq-erlang/deb/ubuntu noble main

## Provides RabbitMQ from a Cloudsmith mirror
##
deb [arch=amd64 signed-by=/usr/share/keyrings/rabbitmq.9F4587F226208342.gpg] https://ppa1.rabbitmq.com/rabbitmq/rabbitmq-server/deb/ubuntu noble main
deb-src [signed-by=/usr/share/keyrings/rabbitmq.9F4587F226208342.gpg] https://ppa1.rabbitmq.com/rabbitmq/rabbitmq-server/deb/ubuntu noble main

# another mirror for redundancy
deb [arch=amd64 signed-by=/usr/share/keyrings/rabbitmq.9F4587F226208342.gpg] https://ppa2.rabbitmq.com/rabbitmq/rabbitmq-server/deb/ubuntu noble main
deb-src [signed-by=/usr/share/keyrings/rabbitmq.9F4587F226208342.gpg] https://ppa2.rabbitmq.com/rabbitmq/rabbitmq-server/deb/ubuntu noble main
EOF

Version Pinning

Version pinning avoids unintentionally upgrading RabbitMQ when upgrading other OS packages.

sudo tee /etc/apt/preferences.d/erlang <<EOF
Package: erlang*
Pin: version 1:27.2-1
Pin-Priority: 999
EOF

sudo tee /etc/apt/preferences.d/rabbitmq <<EOF
Package: rabbitmq-server
Pin: version 4.0.5-1
Pin-Priority: 999
EOF

Verify the pinned versions by checking the pin-priority:

sudo apt-get update -y

apt policy rabbitmq-server
apt policy erlang-base

Install RabbitMQ

sudo apt-get update -y

## Install Erlang packages
sudo apt-get install -y erlang-base \
  erlang-asn1 erlang-crypto erlang-eldap erlang-ftp erlang-inets \
  erlang-mnesia erlang-os-mon erlang-parsetools erlang-public-key \
  erlang-runtime-tools erlang-snmp erlang-ssl \
  erlang-syntax-tools erlang-tftp erlang-tools erlang-xmerl

## Install rabbitmq-server and its dependencies
sudo apt-get install rabbitmq-server -y --fix-missing

Verify that RabbitMQ is installed and is the correct version:

rabbitmqctl version

Should show 4.0.5.

RabbitMQ Configuration

A user guest with password guest is created by default, but this user can only connect from localhost.

Create User

Create a new user with username mg. You will be asked to set a password, check the app settings for the password currently being used:

rabbitmqctl add_user "mg"

Grant the new user permissions:

rabbitmqctl set_permissions -p "/" "mg" ".*" ".*" ".*"

Enable Required Plugins

rabbitmq-plugins enable rabbitmq_consistent_hash_exchange
rabbitmq-plugins enable rabbitmq_management

Restart RabbitMQ

systemctl restart rabbitmq-server

Verify Configuration

Verify user was created successfully (mg user should be in the list):

rabbitmqctl list_users

Verify required plugins are enabled (plugins should have '*' next to them):

rabbitmq-plugins list

Create Server Users

For each required user, create a user and give them sudo permissions (replace {username} with the required username):

useradd -m -G sudo -s /bin/bash {username}

echo '{username} ALL=NOPASSWD: ALL' >> /etc/sudoers.d/50-sudo-users

Add SSH keys:

mkdir /home/{username}/.ssh
touch /home/{username}/.ssh/authorized_keys

chown {username}:{username} /home/{username}/.ssh
chown {username}:{username} /home/{username}/.ssh/authorized_keys

chmod 700 /home/{username}/.ssh
chmod 600 /home/{username}/.ssh/authorized_keys

Copy the user's public ssh key into /home/{username}/.ssh/authorized_keys.

Create Firewall Rules in Digital Ocean

The new server must block all incoming connections on all ports by default, with the following allow rules:

For security, we only allow SSH access via the bastion server, so the new server must block all incoming connections on port 22 from everything except the Bastion server (Bastion tag).

The RabbitMQ server firewall must allow incoming connections from all servers that access message queue, and those servers must allow outgoing connections on those ports. The servers that need access are: - All web servers - All consumer servers - Gantt scheduling - Websocket server

These tag-based rules are already set up in Digital Ocean and, as long as the RabbitMq tag was added when creating the server, you shouldn't have to do anything here. You can verify these rules are in place by checking the new droplet's networking settings in the Digital Ocean interface.

Update Other Server Configs

Update the relevant config options to the Private IP address of the new RabbitMQ server for each server that communicates with it. These options are found:

  • Web servers: amqp.host in settings.php in the app code. Requires code deployment to each web server.
  • Consumer servers: amqp.host in settings.php (i.e. same setting as web servers). Requires code deployment to all consumer servers.
  • Gantt servers: Command line option --rabbit-mq-host in the schedule-listener.mjs command, defined in supervisor conf file on the server.
  • Websocket servers: Command line option --rabbit-mq-host in the server.js command, defined in supervisor conf file on the server.

Note: Updating these config options in productions will require app downtime.

Last modified by: Unknown