移动应用程序中的 RabbitMQ 安全性 [英] RabbitMQ security in mobile app
问题描述
我在我们正在开发的一款移动应用程序中使用 Rabbit MQ 代理,但我对安全方面感到有些困惑.我们正在使用云托管的 rabbitmq 并且托管平台为我们提供了用户名和密码(此后已更改)并且我们正在使用 SSLconnection,因此不太担心 MIM 或窃听.
I am using Rabbit MQ broker in one of mobile apps that we are developing, I am bit puzzled about security aspects. we are using cloud hosted rabbitmq and hosting platform has given us user name and password (which have been changed since) and we are using SSLconnection so not so much worried about MIM or eavesdropping.
我担心的是任何知道主机和端口的人都可以连接到rabbitmq,因为我们有移动应用程序,我们将rabbitmq用户名和密码存储在设备上(尽管是加密的),所以我猜任何人都可以物理访问设备并以某种方式解密用户名密码可以登录rabbitmq,一旦你登录,你几乎可以在rabbitmq上做任何事情,比如删除队列等.MQ 和 Rabbitmq 是如何在移动环境中使用的.有没有更好/更安全的使用 rabbitmq 的方法.
my concern is anybody who knows host and port can make connection to rabbitmq, since we have mobile app we are storing rabbitmq user name and password on device (although encrypted) so I guess that anybody who gets physical access to device and somehow decrypts username password can login to rabbitmq, and once you are logged in you can pretty much do anything on rabbitmq like deleting queues etc.. How are MQ like Rabbitmq used in mobile environment. Is there a better / more secure way of using rabbitmq.
推荐答案
根据我的经验,最好不要让您的移动应用直接连接到 rabbitmq.在应用程序和 RabbitMQ 之间使用 Web 服务器.让您的移动应用程序通过基于 HTTP 的 API 调用连接到您的 Web 服务器.Web 服务器将连接到 RabbitMQ,您不必担心移动应用程序中包含连接信息.
In my experience, it is best to not have your mobile app connect to rabbitmq directly. Use a web server in between the app and RabbitMQ. Have your mobile app connect to your web server via HTTP based API calls. The web server will connect to RabbitMQ, and you won't have to worry about the mobile app having the connection information in it.
除了安全问题之外,还有几个优点:
There are several advantages of this, on top of the security problem:
- 更好地管理 RabbitMQ 连接
- 更容易调整移动用户数量
- 能够根据需要向后端添加更多逻辑和处理,而无需更改移动应用
创建到 RabbitMQ 的连接是一项昂贵的操作.它需要 TCP/IP 连接.一旦该连接打开,它将保持打开状态,直到您关闭它.如果您从移动应用程序打开连接并将其保持打开状态,则会减少到 RabbitMQ 的可用连接数量.如果您快速打开和关闭连接,则会在不断创建和关闭连接时产生大量额外成本.
creating a connection to RabbitMQ is an expensive operation. It requires a TCP/IP connection. once that connection is open it stays open until you close it. if you open a connection from your mobile app and leave it open, you are reducing the number of available connections to RabbitMQ. if you open and close the connection quickly, you are inducing a lot of extra cost in creating and closing the connections constantly.
通过中间的网络服务器,您可以打开一个连接并让它管理多个移动设备.Web 服务器将处理 http 请求并使用与 rabbitmq 的一个连接将消息推送给它.
with a web server in the middle, you can open a single connection and have it manage multiple mobile devices. the web server will handle the http requests and use the one connection to rabbitmq to push messages to it.
由于 HTTP 网络请求是一个短暂的连接,与直接的 rabbitmq 连接相比,您将能够在短时间内处理更多的用户.
since an HTTP web request is a short-lived connection, you'll be able to handle more users in a short period of time, than you would with direct rabbitmq connections.
这最终会带来更好的可扩展性,因为您可以添加另一个 Web 服务器来处理数千个移动应用程序实例,而只添加 1 个新的 RabbitMQ 连接.
this ultimately leads to better scalability as you can add another web server to handle thousands more mobile app instances, while only adding 1 new RabbitMQ connection.
这还允许您在 Web 服务器内部添加中间层逻辑.您可以根据需要添加额外的处理层,而无需更改移动应用程序.更改 Web 服务器代码并根据需要重新部署.
this also lets you add middle-tier logic inside of the web server. you can add additional layers of processing as needed, without changing the mobile app. change the web server code and redeploy as needed.
如果您必须在中间没有服务器的情况下执行此操作,您可能无法解决您遇到的安全问题.移动设备将包含建立连接所需的信息.
if you must do this without a server in the middle, you likely won't be able to get around the security issue that you're having. the mobile device will contain the necessary information to make the connection.
这篇关于移动应用程序中的 RabbitMQ 安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
