## This example configuration file demonstrates various settings ## available via rabbitmq.conf. It primarily focuses core broker settings ## but some tier 1 plugin settings are also covered. ## ## This file is AN EXAMPLE. It is NOT MEANT TO BE USED IN PRODUCTION. Instead of ## copying the entire (large!) file, create or generate a new rabbitmq.conf for the target system ## and populate it with the necessary settings. ## ## See https://www.rabbitmq.com/docs/configure to learn about how to configure RabbitMQ, ## the ini-style format used by rabbitmq.conf, how it is different from `advanced.config`, ## how to verify effective configuration, and so on. ## ## See https://www.rabbitmq.com/docs/documentation for the rest of RabbitMQ documentation. ## ## In case you have questions, please use rabbitmq/rabbitmq-server Discussions and ## the RabbitMQ community Discord server http://rabbitmq.com/discord for questions. # # Core Broker # ## ## Networking ## Relevant doc guide: https://www.rabbitmq.com/docs/networking. ## ## By default, RabbitMQ will listen on all interfaces, using ## the standard (reserved) AMQP 0-9-1 and 1.0 port. ## # listeners.tcp.default = 5672 ## To listen on a specific interface, provide an IP address with port. ## For example, to listen only on localhost for both IPv4 and IPv6: ## # IPv4 # listeners.tcp.local = 127.0.0.1:5672 # IPv6 # listeners.tcp.local_v6 = ::1:5672 ## You can define multiple listeners using listener names # listeners.tcp.other_port = 5673 # listeners.tcp.other_ip = 10.10.10.10:5672 ## TLS listeners are configured in the same fashion as TCP listeners, ## including the option to control the choice of interface. ## # listeners.ssl.default = 5671 ## It is possible to disable regular TCP (non-TLS) listeners. Clients ## not configured to use TLS and the correct TLS-enabled port won't be able ## to connect to this node. # listeners.tcp = none ## Number of Erlang processes that will accept connections for the TCP ## and TLS listeners. ## # num_acceptors.tcp = 10 # num_acceptors.ssl = 10 ## Socket writer will force GC every so many bytes transferred. ## Default is 1 GiB (`1000000000`). Set to 'off' to disable. ## # socket_writer.gc_threshold = 1000000000 # ## To disable: # socket_writer.gc_threshold = off ## Maximum amount of time allowed for the AMQP 0-9-1 and AMQP 1.0 handshake ## (performed after socket connection and TLS handshake) to complete, in milliseconds. ## # handshake_timeout = 10000 ## Set to 'true' to perform reverse DNS lookups when accepting a ## connection. rabbitmqctl and management UI will then display hostnames ## instead of IP addresses. Default value is `false`. ## # reverse_dns_lookups = false ## ## Security, Access Control ## ## Relevant doc guide: https://www.rabbitmq.com/docs/access-control. ## The default "guest" user is only permitted to access the server ## via a loopback interface (e.g. localhost). ## {loopback_users, [<<"guest">>]}, ## # loopback_users.guest = true ## Uncomment the following line if you want to allow access to the ## guest user from anywhere on the network. # loopback_users.guest = false ## ## TLS Configuration ## ## Relevant doc guide: https://www.rabbitmq.com/docs/ssl. ## # listeners.ssl.1 = 5671 # # ssl_options.verify = verify_peer # ssl_options.fail_if_no_peer_cert = false # ssl_options.cacertfile = /path/to/cacert.pem # ssl_options.certfile = /path/to/cert.pem # ssl_options.keyfile = /path/to/key.pem # # ## ssl_options.password supports encrypted values, ## ## Relevant doc guide: https://www.rabbitmq.com/docs/configure#configuration-encryption ## # ssl_options.password = encrypted:kDnCy25dRvI8xs4nrJ6hp34ffL0ODKAzHrT6R8eOqR3TKL8lbI12M15wkA1SGmmL # # ## ## Cipher Suite Ordering ## ## Relevant doc guide: https://www.rabbitmq.com/docs/ssl#cipher-suite-order ## # ssl_options.honor_cipher_order = true # ssl_options.honor_ecc_order = true # ## These are highly recommended for TLSv1.2 but cannot be used ## with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed. # ssl_options.client_renegotiation = false # ssl_options.secure_renegotiate = true # ## Limits what TLS versions the server enables for client TLS ## connections. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/ssl#tls-versions ## ## Cutting edge TLS version which requires recent client runtime ## versions and has no cipher suite in common with earlier TLS versions. # ssl_options.versions.1 = tlsv1.3 ## Enables TLSv1.2 for best compatibility # ssl_options.versions.2 = tlsv1.2 ## Older TLS versions have known vulnerabilities and are being phased out ## from wide use. ## Limits what cipher suites the server will use for client TLS ## connections. Narrowing this down can prevent some clients ## from connecting. ## If TLSv1.3 is enabled and cipher suites are overridden, TLSv1.3-specific ## cipher suites must also be explicitly enabled. ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/ssl#cipher-suites ## * https://www.rabbitmq.com/docs/ssl#tls1.3 ## * https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites ## # ## The example below uses TLSv1.3 cipher suites only # # ssl_options.ciphers.1 = TLS_AES_256_GCM_SHA384 # ssl_options.ciphers.2 = TLS_AES_128_GCM_SHA256 # ssl_options.ciphers.3 = TLS_CHACHA20_POLY1305_SHA256 # ssl_options.ciphers.4 = TLS_AES_128_CCM_SHA256 # ssl_options.ciphers.5 = TLS_AES_128_CCM_8_SHA256 # ## The example below uses TLSv1.2 cipher suites only # # ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384 # ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384 # ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384 # ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384 # ssl_options.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384 # ssl_options.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384 # ssl_options.ciphers.7 = ECDH-ECDSA-AES256-SHA384 # ssl_options.ciphers.8 = ECDH-RSA-AES256-SHA384 # ssl_options.ciphers.9 = DHE-RSA-AES256-GCM-SHA384 # ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384 # ssl_options.ciphers.11 = DHE-RSA-AES256-SHA256 # ssl_options.ciphers.12 = DHE-DSS-AES256-SHA256 # ssl_options.ciphers.13 = ECDHE-ECDSA-AES128-GCM-SHA256 # ssl_options.ciphers.14 = ECDHE-RSA-AES128-GCM-SHA256 # ssl_options.ciphers.15 = ECDHE-ECDSA-AES128-SHA256 # ssl_options.ciphers.16 = ECDHE-RSA-AES128-SHA256 # ssl_options.ciphers.17 = ECDH-ECDSA-AES128-GCM-SHA256 # ssl_options.ciphers.18 = ECDH-RSA-AES128-GCM-SHA256 # ssl_options.ciphers.19 = ECDH-ECDSA-AES128-SHA256 # ssl_options.ciphers.20 = ECDH-RSA-AES128-SHA256 # ssl_options.ciphers.21 = DHE-RSA-AES128-GCM-SHA256 # ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256 # ssl_options.ciphers.23 = DHE-RSA-AES128-SHA256 # ssl_options.ciphers.24 = DHE-DSS-AES128-SHA256 # ssl_options.ciphers.25 = ECDHE-ECDSA-AES256-SHA # ssl_options.ciphers.26 = ECDHE-RSA-AES256-SHA # ssl_options.ciphers.27 = DHE-RSA-AES256-SHA # ssl_options.ciphers.28 = DHE-DSS-AES256-SHA # ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA # ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA # ssl_options.ciphers.31 = ECDHE-ECDSA-AES128-SHA # ssl_options.ciphers.32 = ECDHE-RSA-AES128-SHA # ssl_options.ciphers.33 = DHE-RSA-AES128-SHA # ssl_options.ciphers.34 = DHE-DSS-AES128-SHA # ssl_options.ciphers.35 = ECDH-ECDSA-AES128-SHA # ssl_options.ciphers.36 = ECDH-RSA-AES128-SHA # ssl_options.bypass_pem_cache = true ## Select an authentication/authorisation backend to use. ## ## Alternative backends are provided by plugins, such as rabbitmq-auth-backend-ldap. ## ## NB: These settings require certain plugins to be enabled. ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/plugins ## * https://www.rabbitmq.com/docs/access-control ## # auth_backends.1 = rabbit_auth_backend_internal ## uses separate backends for authentication and authorisation, ## see below. # auth_backends.1.authn = rabbit_auth_backend_ldap # auth_backends.1.authz = rabbit_auth_backend_internal ## The rabbitmq_auth_backend_ldap plugin allows the broker to ## perform authentication and authorisation by deferring to an ## external LDAP server. ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/ldap ## * https://www.rabbitmq.com/docs/access-control ## ## uses LDAP for both authentication and authorisation # auth_backends.1 = rabbit_auth_backend_ldap ## uses HTTP service for both authentication and ## authorisation # auth_backends.1 = rabbit_auth_backend_http ## uses two backends in a chain: HTTP first, then internal # auth_backends.1 = rabbit_auth_backend_http # auth_backends.2 = rabbit_auth_backend_internal ## Authentication ## The built-in mechanisms are 'PLAIN', ## 'AMQPLAIN', and 'EXTERNAL' Additional mechanisms can be added via ## plugins. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/authentication. ## # auth_mechanisms.1 = PLAIN # auth_mechanisms.2 = AMQPLAIN # auth_mechanisms.3 = ANONYMOUS ## The rabbitmq-auth-mechanism-ssl plugin makes it possible to ## authenticate a user based on the client's x509 (TLS) certificate. ## Relevant doc guide: https://www.rabbitmq.com/docs/authentication. ## ## To use auth-mechanism-ssl, the EXTERNAL mechanism should ## be enabled: ## # auth_mechanisms.1 = PLAIN # auth_mechanisms.2 = AMQPLAIN # auth_mechanisms.3 = EXTERNAL ## To force x509 certificate-based authentication on all clients, ## exclude all other mechanisms (note: this will disable password-based ## authentication even for the management UI!): ## # auth_mechanisms.1 = EXTERNAL ## This pertains to both the rabbitmq-auth-mechanism-ssl plugin and ## STOMP ssl_cert_login configurations. See the RabbitMQ STOMP plugin ## configuration section later in this file and the README in ## https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further ## details. ## ## To use the TLS cert's CN instead of its DN as the username ## # ssl_cert_login_from = common_name ## TLS handshake timeout, in milliseconds. ## # ssl_handshake_timeout = 5000 ## ## Loading Definitions ## ## Relevant documentation: https://www.rabbitmq.com/docs/definitions#import-on-boot ## ## To import definitions from a local file on node boot, set the ## load_definitions config key to a path of a previously exported ## JSON file with definitions. Does not require management plugin ## to be enabled. ## # load_definitions = /path/to/definitions/file.json ## Password hashing implementation. Will only affect newly ## created users. To recalculate hash for an existing user ## it's necessary to update her password. ## ## To use SHA-512, set to rabbit_password_hashing_sha512. ## # password_hashing_module = rabbit_password_hashing_sha256 ## When importing definitions exported from versions earlier ## than 3.6.0, it is possible to go back to MD5 (only do this ## as a temporary measure!) by setting this to rabbit_password_hashing_md5. ## # password_hashing_module = rabbit_password_hashing_md5 ## ## Default User / VHost ## ## On first start RabbitMQ will create a vhost and a user. These ## config items control what gets created. ## Relevant doc guide: https://www.rabbitmq.com/docs/access-control ## # default_vhost = / # default_user = guest # default_pass = guest # default_permissions.configure = .* # default_permissions.read = .* # default_permissions.write = .* ## default_pass supports encrypted values, ## see https://www.rabbitmq.com/docs/configure#configuration-encryption ### and 'rabbitmqctl help encrypt_conf_value' # default_user = guest # default_pass = encrypted:uL+A4nxXdgaqjGbs92Vo36ApOruJp76cCSsklS6/mT6jo2r0hfamM1nMO/Yirwfz ## Tags for default user ## ## ## Relevant doc guide: https://www.rabbitmq.com/docs/management ## # default_user_tags.administrator = true ## Define other tags like this: # default_user_tags.management = true # default_user_tags.custom_tag = true ## ## Additional network and protocol related configuration ## ## Set the server AMQP 0-9-1 heartbeat timeout in seconds. ## RabbitMQ nodes will send heartbeat frames at roughly ## the (timeout / 2) interval. Two missed heartbeats from ## a client will close its connection. ## ## Values lower than 6 seconds are very likely to produce ## false positives and are not recommended. ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/heartbeats ## * https://www.rabbitmq.com/docs/networking ## # heartbeat = 60 ## Set the max permissible size of an AMQP frame (in bytes). ## # frame_max = 131072 ## Set the max frame size the server will accept before connection ## tuning occurs ## # initial_frame_max = 4096 ## Set the max permissible number of channels per connection. ## 0 means "no limit". ## # channel_max = 128 ## Customising TCP Listener (Socket) Configuration. ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/networking ## * https://www.erlang.org/doc/apps/kernel/inet.html#setopts-2 ## # tcp_listen_options.backlog = 128 # tcp_listen_options.nodelay = true # tcp_listen_options.exit_on_close = false # # tcp_listen_options.keepalive = true # tcp_listen_options.send_timeout = 15000 # # tcp_listen_options.buffer = 196608 # tcp_listen_options.sndbuf = 196608 # tcp_listen_options.recbuf = 196608 ## ## Queues ## ## If set, the 'x-queue-type' header will be ignored (not compared for equivalence) ## for queue redeclaration. This can simplify upgrades of applications that explicitly ## set 'x-queue-type' to 'classic' for historical reasons but do not set any other ## properties that may conflict or significantly change queue behavior and semantics, such as the 'exclusive' field. # quorum_queue.property_equivalence.relaxed_checks_on_redeclaration = true ## Sets the initial quorum queue replica count for newly declared quorum queues. ## This value can be overridden using the 'x-quorum-initial-group-size' queue argument ## at declaration time. # quorum_queue.initial_cluster_size = 3 ## Sets the maximum number of unconfirmed messages a channel can send ## before publisher flow control is triggered. ## The current default is configured to provide good performance and stability ## when there are multiple publishers sending to the same quorum queue. # quorum_queue.commands_soft_limit = 32 ## Changes classic queue storage implementation version. ## In 4.0.x, version 2 is the default and this is a forward compatibility setting, ## that is, it will be useful when a new version is developed. ## # classic_queue.default_version = 2 ## ## Stream Protocol ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/streams ## * https://www.rabbitmq.com/docs/stream ## * https://www.rabbitmq.com/docs/stream-connections ## ## RabbitMQ Stream Protocol plain TCP listeners and their ports. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/stream#tcp-listeners ## # stream.listeners.tcp.default = 5552 ## RabbitMQ Stream Protocol TLS listeners and their ports. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/stream#tls ## # stream.listeners.ssl.default = 5553 ## Number of Erlang processes that will accept RabbitMQ Stream Protocol client connections, ## one setting for for the TCP and one for the TLS listeners. # stream.num_acceptors.tcp = 10 # stream.num_acceptors.ssl = 1 ## Set the server RabbitMQ Stream Protocol heartbeat timeout in seconds. ## This is an equivalent of the `heartbeat` setting for AMQP 0-9-1 and AMQP 1.0 ## client connections but for RabbitMQ Stream Protocol. ## ## Values lower than 6 seconds are very likely to produce ## false positives and are not recommended. ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/stream ## * https://www.rabbitmq.com/docs/heartbeats ## * https://www.rabbitmq.com/docs/networking # stream.heartbeat = 30 ## Port range used for stream replication connections. ## The number of connections, and therefore the necessary port range, ## depend on the number of streams and their replicas (members). ## # stream.replication.port_range.min = 5000 # stream.replication.port_range.max 10000 ## Advertised hostname and port for stream clients. Use when RabbitMQ ## is behind a load balancer or in a container environment. ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/stream#advertised-host-port ## * https://www.rabbitmq.com/blog/2021/07/23/connecting-to-streams ## # stream.advertised_host = localhost # stream.advertised_port = 5552 # stream.advertised_tls_host = localhost # stream.advertised_tls_port = 5553 ## ## Resource Limits & Flow Control ## ## Relevant doc guide: https://www.rabbitmq.com/docs/memory. ## Memory-based Flow Control threshold. ## # vm_memory_high_watermark.relative = 0.6 ## Alternatively, we can set a limit (in bytes) of RAM used by the node. ## # vm_memory_high_watermark.absolute = 1073741824 ## Or you can set absolute value using memory units (with RabbitMQ 3.6.0+). ## Absolute watermark will be ignored if relative is defined! ## # vm_memory_high_watermark.absolute = 2GB ## ## Supported unit symbols: ## ## k, kiB: kibibytes (2^10 - 1,024 bytes) ## M, MiB: mebibytes (2^20 - 1,048,576 bytes) ## G, GiB: gibibytes (2^30 - 1,073,741,824 bytes) ## kB: kilobytes (10^3 - 1,000 bytes) ## MB: megabytes (10^6 - 1,000,000 bytes) ## GB: gigabytes (10^9 - 1,000,000,000 bytes) ## Selects Erlang VM memory consumption calculation strategy. Can be `allocated`, `rss` or `legacy` (aliased as `erlang`), ## Introduced in 3.6.11. `rss` is the default as of 3.6.12. ## See https://github.com/rabbitmq/rabbitmq-server/issues/1223 and rabbitmq/rabbitmq-common#224 for background. # vm_memory_calculation_strategy = rss ## The total memory available can be calculated from the OS resources ## - default option - or provided as a configuration parameter. # total_memory_available_override_value = 2GB ## Set disk free limit (in bytes). Once free disk space reaches this ## lower bound, a disk alarm will be set. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/memory ## ## Absolute watermark will be ignored if relative is defined! # disk_free_limit.absolute = 50000 ## Or you can set it using memory units (same as in vm_memory_high_watermark) ## with RabbitMQ 3.6.0+. # disk_free_limit.absolute = 500KB # disk_free_limit.absolute = 50mb # disk_free_limit.absolute = 5GB ## Alternatively, we can set a limit relative to total available RAM. ## ## Values lower than 1.0 can be dangerous and should be used carefully. # disk_free_limit.relative = 2.0 ## ## Clustering ## ## By default cluster name is set to the name of the first ## node to have formed the cluster. It can be overridden ## to make it easier for (human) operators to tell one cluster from another. # cluster_name = dev3.eng.megacorp.local ## Optional key-value pairs that tag (label) the cluster. ## They will be reported by CLI tools, by the HTTP API at 'GET /api/overview', ## and potentially in other contexts. # cluster_tags.region = us-east-1 # cluster_tags.zone = us-east-1d # cluster_tags.project = an-iot-thing # cluster_tags.role = mqtt-ingress # cluster_tags.environment = staging ## A similar set of key-value pairs can be used to tag (label) ## the specific node that will use this configuration file. # node_tags.uuid = '88CD083F-E211-479B-814A-6DA42FE78AF3' # node_tags.role = mqtt-ingress # node_tags.environment = staging ## Selects the default strategy used to pick a node to place a new queue leader replica ## on. Can be overridden by the `x-queue-leader-locator` optional queue argument ## at declaration time. ## ## "balanced" (the default) is recommended for most environments. It works ## like so: ## ## 1. When there are many queues in the cluster, the candidate node is picked randomly ## 2. When there are few queues, uses their current replica count to pick the node ## with the smallest number of replicas. ## ## Supported non-deprecated values are: "balanced", "client-local" # queue_leader_locator = balanced ## Partition handling strategy. ## Primarily affects deployments that use Mnesia and classic queues. ## Khepri and quorum queues, streams will always use Raft's failure recovery ## strategy. ## # cluster_partition_handling = ignore ## Pauses all nodes on the minority side of a partition. The cluster ## MUST have an odd number of nodes (3, 5, etc) # cluster_partition_handling = pause_minority ## pause_if_all_down strategy require additional configuration # cluster_partition_handling = pause_if_all_down ## Recover strategy. Can be either 'autoheal' or 'ignore' # cluster_partition_handling.pause_if_all_down.recover = ignore ## Node names to check # cluster_partition_handling.pause_if_all_down.nodes.1 = rabbit@localhost # cluster_partition_handling.pause_if_all_down.nodes.2 = hare@localhost ## Make clustering happen *automatically* at startup. Only applied ## to nodes that have just been reset or started for the first time. ## ## Relevant doc guide: https://www.rabbitmq.com/docs//cluster-formation ## # cluster_formation.peer_discovery_backend = rabbit_peer_discovery_classic_config # # cluster_formation.classic_config.nodes.1 = rabbit1@hostname # cluster_formation.classic_config.nodes.2 = rabbit2@hostname # cluster_formation.classic_config.nodes.3 = rabbit3@hostname # cluster_formation.classic_config.nodes.4 = rabbit4@hostname ## DNS-based peer discovery. This backend will list A records ## of the configured hostname and perform reverse lookups for ## the addresses returned. # cluster_formation.peer_discovery_backend = rabbit_peer_discovery_dns # cluster_formation.dns.hostname = discovery.eng.example.local ## This node's type can be configured. If you are not sure ## what node type to use, always use 'disc'. # cluster_formation.node_type = disc ## Interval (in milliseconds) at which we send keepalive messages ## to other cluster members. Note that this is not the same thing ## as net_ticktime; missed keepalive messages will not cause nodes ## to be considered down. ## # cluster_keepalive_interval = 10000 ## ## Statistics Collection ## ## Statistics collection interval (in milliseconds). Increasing ## this will reduce the load on management database. ## # collect_statistics_interval = 5000 ## Fine vs. coarse statistics # # This value is no longer meant to be configured directly. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/management#fine-stats ## ## ## Raft settings ## ## These set the defaults that quorum queues, streams, Khepri, and other Raft-based features use. ## # raft.segment_max_entries = 65536 # raft.wal_max_size_bytes = 1048576 # raft.wal_max_batch_size = 4096 # raft.snapshot_chunk_size = 1000000 ## ## Misc and Advanced Options ## ## NB: Change these only if you understand what you are doing! ## ## To permit or deny a deprecated feature when it is in its ## `permitted_by_default` or `denied_by_default` deprecation phase, the ## default state can be overriden from the configuration. ## ## When a deprecated feature is permitted by default (first phase of the ## deprecation period), it means the feature is available by default and can ## be turned off by setting it to false in the configuration. ## ## When a deprecated feature is denied by default (second phase of the ## deprecation period), it means the feature is unavailable by default but can ## be turned back on by setting it to true in the configuration. ## ## When a deprecated feature is "disconnected" or "removed" (last two phases ## of the deprecation period), it is no longer possible to turn it back on ## from the configuration. ## # deprecated_features.permit.a_deprecated_feature = true # deprecated_features.permit.another_deprecated_feature = false ## Timeout used when waiting for Mnesia tables in a cluster to ## become available. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/clustering#restarting # mnesia_table_loading_retry_timeout = 30000 ## Retries when waiting for Mnesia tables in the cluster startup. Note that ## this setting is not applied to Mnesia upgrades or node deletions. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/clustering#restarting # mnesia_table_loading_retry_limit = 10 ## Size in bytes below which to embed messages in the queue index. ## Relevant doc guide: https://www.rabbitmq.com/docs/persistence-conf ## # queue_index_embed_msgs_below = 4096 ## You can also set this size in memory units ## # queue_index_embed_msgs_below = 4kb ## Whether or not to enable background periodic forced GC runs for all ## Erlang processes on the node in "waiting" state. ## ## Disabling background GC may reduce latency for client operations, ## keeping it enabled may reduce median RAM usage by the binary heap ## (see https://www.erlang-solutions.com/blog/erlang-garbage-collector.html). ## ## Before trying this option, please take a look at the memory ## breakdown (https://www.rabbitmq.com/docs/memory-use). ## # background_gc_enabled = false ## Target (desired) interval (in milliseconds) at which we run background GC. ## The actual interval will vary depending on how long it takes to execute ## the operation (can be higher than this interval). Values less than ## 30000 milliseconds are not recommended. ## # background_gc_target_interval = 60000 ## Whether or not to enable proxy protocol support. ## Once enabled, clients cannot directly connect to the broker ## anymore. They must connect through a load balancer that sends the ## proxy protocol header to the broker at connection time. ## This setting applies only to AMQP clients, other protocols ## like MQTT or STOMP have their own setting to enable proxy protocol. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/networking#proxy-protocol ## # proxy_protocol = false ## Overriden product name and version. ## They are set to "RabbitMQ" and the release version by default. # product.name = RabbitMQ # product.version = 1.2.3 ## "Message of the day" file. ## Its content is used to expand the logged and printed banners. ## Default to /etc/rabbitmq/motd on Unix, %APPDATA%\RabbitMQ\motd.txt ## on Windows. # motd_file = /etc/rabbitmq/motd ## Consumer timeout ## If a message delivered to a consumer has not been acknowledge before this timer ## triggers the channel will be force closed by the broker. This ensure that ## faultly consumers that never ack will not hold on to messages indefinitely. ## # consumer_timeout = 900000 # # Advanced Erlang Networking/Clustering Options # # # Kernel # ## Timeout used to detect peer unavailability, including CLI tools. ## Relevant doc guide: https://www.rabbitmq.com/docs/nettick. ## # net_ticktime = 60 ## Inter-node communication port range. ## The parameters inet_dist_listen_min and inet_dist_listen_max ## can be configured in the classic config format only. ## Relevant doc guide: https://www.rabbitmq.com/docs/networking#epmd-inet-dist-port-range. # # Management # ## Relevant doc guide: https://www.rabbitmq.com/docs/management ## Log all requests to the management HTTP API to a file. ## # management.http_log_dir = /path/to/access.log ## Limits maximum accepted HTTP request body size to 500 KiB. ## The default is 20 MiB. # management.http.max_body_size = 500000 ## HTTP listener and embedded HTTP server (Cowboy) settings # # management.tcp.port = 15672 # management.tcp.ip = 0.0.0.0 # # management.tcp.shutdown_timeout = 7000 # management.tcp.max_keepalive = 120 # management.tcp.idle_timeout = 120 # management.tcp.inactivity_timeout = 120 # management.tcp.request_timeout = 120 # management.tcp.compress = true ## HTTPS listener settings ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/management ## * https://www.rabbitmq.com/docs/ssl ## # management.ssl.port = 15671 # management.ssl.cacertfile = /path/to/ca_certificate.pem # management.ssl.certfile = /path/to/server_certificate.pem # management.ssl.keyfile = /path/to/server_key.pem ## More TLS options # management.ssl.honor_cipher_order = true # management.ssl.honor_ecc_order = true ## These are highly recommended for TLSv1.2 but cannot be used ## with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed. # management.ssl.client_renegotiation = false # management.ssl.secure_renegotiate = true ## Supported TLS versions # management.ssl.versions.1 = tlsv1.2 ## Cipher suites the server is allowed to use # management.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384 # management.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384 # management.ssl.ciphers.3 = ECDHE-ECDSA-AES256-SHA384 # management.ssl.ciphers.4 = ECDHE-RSA-AES256-SHA384 # management.ssl.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384 # management.ssl.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384 # management.ssl.ciphers.7 = ECDH-ECDSA-AES256-SHA384 # management.ssl.ciphers.8 = ECDH-RSA-AES256-SHA384 # management.ssl.ciphers.9 = DHE-RSA-AES256-GCM-SHA384 ## URL path prefix for HTTP API and management UI # management.path_prefix = /a-prefix ## One of 'basic', 'detailed' or 'none'. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/management#fine-stats # management.rates_mode = basic ## Configure how long aggregated data (such as message rates and queue ## lengths) is retained. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/management#configuration ## Your can use 'minute', 'hour' and 'day' keys or integer key (in seconds) # management.sample_retention_policies.global.minute = 5 # management.sample_retention_policies.global.hour = 60 # management.sample_retention_policies.global.day = 1200 # management.sample_retention_policies.basic.minute = 5 # management.sample_retention_policies.basic.hour = 60 # management.sample_retention_policies.detailed.10 = 5 # # Shovel # ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/shovel ## * https://www.rabbitmq.com/docs/shovel-dynamic ## * https://www.rabbitmq.com/docs/shovel-static ## Static shovel configuration examples can be found in advanced.config.example. # # STOMP # ## Relevant doc guide: https://www.rabbitmq.com/docs/stomp ## TCP listeners. ## # stomp.listeners.tcp.1 = 127.0.0.1:61613 # stomp.listeners.tcp.2 = ::1:61613 ## TCP listener settings ## # stomp.tcp_listen_options.backlog = 2048 # stomp.tcp_listen_options.recbuf = 131072 # stomp.tcp_listen_options.sndbuf = 131072 # # stomp.tcp_listen_options.keepalive = true # stomp.tcp_listen_options.nodelay = true # # stomp.tcp_listen_options.exit_on_close = true # stomp.tcp_listen_options.send_timeout = 120000 ## Proxy protocol support ## # stomp.proxy_protocol = false ## TLS listeners ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/stomp ## * https://www.rabbitmq.com/docs/ssl # stomp.listeners.ssl.default = 61614 # # ssl_options.cacertfile = path/to/cacert.pem # ssl_options.certfile = path/to/cert.pem # ssl_options.keyfile = path/to/key.pem # ssl_options.verify = verify_peer # ssl_options.fail_if_no_peer_cert = true ## Number of Erlang processes that will accept AMQP 0-9-1 and AMQP 1.0 client connections, ## one setting for for the TCP and one for the TLS listeners. ## # stomp.num_acceptors.tcp = 10 # stomp.num_acceptors.ssl = 1 ## Additional TLS options ## Extract a name from the client's certificate when using TLS. ## # stomp.ssl_cert_login = true ## Set a default user name and password. This is used as the default login ## whenever a CONNECT frame omits the login and passcode headers. ## ## Please note that setting this will allow clients to connect without ## authenticating! ## # stomp.default_user = guest # stomp.default_pass = guest ## If a default user is configured, or you have configured use TLS client ## certificate based authentication, you can choose to allow clients to ## omit the CONNECT frame entirely. If set to true, the client is ## automatically connected as the default user or user supplied in the ## TLS certificate whenever the first frame sent on a session is not a ## CONNECT frame. ## # stomp.implicit_connect = true ## Whether or not to enable proxy protocol support. ## Once enabled, clients cannot directly connect to the broker ## anymore. They must connect through a load balancer that sends the ## proxy protocol header to the broker at connection time. ## This setting applies only to STOMP clients, other protocols ## like MQTT or AMQP have their own setting to enable proxy protocol. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/stomp#proxy-protocol ## # stomp.proxy_protocol = false # # MQTT Adapter # ## TCP listener settings. ## # mqtt.listeners.tcp.1 = 127.0.0.1:61613 # mqtt.listeners.tcp.2 = ::1:61613 ## TCP listener options (as per the broker configuration). ## # mqtt.tcp_listen_options.backlog = 4096 # mqtt.tcp_listen_options.recbuf = 131072 # mqtt.tcp_listen_options.sndbuf = 131072 # # mqtt.tcp_listen_options.keepalive = true # mqtt.tcp_listen_options.nodelay = true # # mqtt.tcp_listen_options.exit_on_close = true # mqtt.tcp_listen_options.send_timeout = 120000 ## TLS Listener Settings ## ## Relevant doc guides: ## ## * https://www.rabbitmq.com/docs/mqtt ## * https://www.rabbitmq.com/docs/ssl ## # # mqtt.listeners.ssl.default = 8883 # # ssl_options.cacertfile = /path/to/tls/ca_certificate_bundle.pem # ssl_options.certfile = /path/to/tls/server_certificate.pem # ssl_options.keyfile = /path/to/tls/server_key.pem # ssl_options.verify = verify_peer # ssl_options.fail_if_no_peer_cert = true # ## Number of Erlang processes that will accept connections for the TCP ## and TLS listeners. ## # mqtt.num_acceptors.tcp = 10 # mqtt.num_acceptors.ssl = 10 ## Whether or not to enable proxy protocol support. ## Once enabled, clients cannot directly connect to the broker ## anymore. They must connect through a load balancer that sends the ## proxy protocol header to the broker at connection time. ## This setting applies only to MQTT clients, other protocols ## like STOMP or AMQP have their own setting to enable proxy protocol. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/mqtt#proxy-protocol ## # mqtt.proxy_protocol = false ## Enable anonymous connections. If this is set to false, clients MUST provide ## credentials in order to connect. See also the anonymous_login_user/anonymous_login_pass ## keys. Anonymous connections are highly discouraged! ## # mqtt.allow_anonymous = true ## If you have multiple vhosts, specify the one to which the ## adapter connects. ## # mqtt.vhost = / ## Specify the exchange to which messages from MQTT clients are published. ## # mqtt.exchange = amq.topic ## Define the maximum Session Expiry Interval in seconds allowed by the server. ## 'infinity' means the session does not expire. ## An MQTT 5.0 client can choose a lower value. ## # mqtt.max_session_expiry_interval_seconds = 1800 ## Set the prefetch count (governing the maximum number of unacknowledged ## messages that will be delivered). ## # mqtt.prefetch = 10 ## Sets the durable queue type to be used for QoS 1 subscriptions. ## ## Supported types are: ## ## * classic ## * quorum ## ## IMPORTANT: changing this setting requires all existing queues used by ## the MQTT plugin to be DELETED or clients will fail to subscribe. ## So this setting should be used for new clusters. ## # mqtt.durable_queue_type = classic ## Logging settings. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/logging ## ## Log directory, taken from the RABBITMQ_LOG_BASE env variable by default. ## # log.dir = /var/log/rabbitmq ## Logging to file. Can be false or a filename. ## Default: # log.file = rabbit.log ## To disable logging to a file # log.file = false ## Log level for file logging ## # log.file.level = info ## File rotation config. No rotation by default. ## DO NOT SET rotation date to ''. Leave the value unset if "" is the desired value # log.file.rotation.date = $D0 # log.file.rotation.size = 0 ## Logging to console (can be true or false) ## # log.console = false ## Log level for console logging ## # log.console.level = info ## Logging to the amq.rabbitmq.log exchange (can be true or false) ## # log.exchange = false ## Log level to use when logging to the amq.rabbitmq.log exchange ## # log.exchange.level = info ## File size-based log rotation ## Note that `log.file.rotation.size` cannot be combined with `log.file.rotation.date`, ## the two options are mutually exclusive. ## rotate when the file reaches 10 MiB # log.file.rotation.size = 10485760 ## keep up to 5 archived log files in addition to the current one # log.file.rotation.count = 5 ## compress the archived logs # log.file.rotation.compress = true ## ## Logging: date-based log rotation ## ## Note that `log.file.rotation.date` cannot be combined with `log.file.rotation.size`, ## the two options are mutually exclusive. ## rotate every night at midnight # log.file.rotation.date = $D0 ## keep up to 5 archived log files in addition to the current one # log.file.rotation.count = 5 ## compress the archived logs # log.file.rotation.compress = true # # OAuth 2 # ## Relevant doc guide: https://www.rabbitmq.com/docs/oauth2 ## Enable OAuth 2 as an authentication backend ## # auth_backends.1 = oauth2 ## OAuth 2 resource server identifier. This value must match the 'aud' field ## in JWT tokens presented by clients. ## # auth_oauth2.resource_server_id = rabbitmq ## OAuth 2 provider issuer URL. RabbitMQ will use this to discover ## IDP endpoints, such as JWKS URI for downloading signing keys ## # auth_oauth2.issuer = https://my-oauth2-provider.com/realm/rabbitmq ## JWKS endpoint URL. Optional if issuer is configured. ## This URL MUST use HTTPS, by design. ## # auth_oauth2.jwks_uri = https://my-oauth2-provider.com/jwks.json ## Configure which JWT claims should be used for extracting the username. ## # auth_oauth2.preferred_username_claims.1 = user_name # auth_oauth2.preferred_username_claims.2 = preferred_username ## Configure additional fields to look for scopes in the token ## # auth_oauth2.additional_scopes_key = extra_scope ## Custom scope prefix instead of resource_server_id ## # auth_oauth2.scope_prefix = api:// ## Map custom scopes to RabbitMQ scopes ## # auth_oauth2.scope_aliases.admin = rabbitmq.tag:administrator # auth_oauth2.scope_aliases.developer = rabbitmq.tag:management rabbitmq.read:*/* rabbitmq.write:*/* rabbitmq.configure:*/* ## Disable audience validation (not recommended) ## # auth_oauth2.verify_aud = false ## Enable OAuth 2 in the management UI ## # management.oauth_enabled = true ## Controls OAuth client ID for the management UI ## # management.oauth_client_id = rabbitmq-management ## Allows disable Basic HTTP Authentication. Opt-in to use JWT tokens exclusively. ## # management.oauth_disable_basic_auth = true ## The scopes RabbitMq should claim during the management UI authorization flow. ## Defaults to "openid profile" ## # management.oauth_scopes = openid profile rabbitmq.tag:management ## TLS settings for connecting to OAuth 2 endpoints. ## ## A trusted CA (and intermediary) certificate bundle to use # auth_oauth2.https.cacertfile = /path/to/ca_certificate.pem ## Whether peer certificate chain verification is enabled. # auth_oauth2.https.verify = verify_peer ## Use in environments where certificates use wildcard hostnames (e.g. "*.eng.megacorp.local") # auth_oauth2.https.hostname_verification = wildcard ## Controls the start of the authentication flow. ## ## Defaults to "sp_initiated", which does not require clients to provide ## a token. This is the most standard flow. ## ## "idp_initiated" means that the flow will be initiated by an SSO service ## of sorts and clients must provide a token. # management.oauth_initiated_logon_type = sp_initiated # # LDAP # ## Specify servers to bind to. You *must* set this in order for the plugin ## to work properly. ## # auth_ldap.servers.1 = your-server-name-goes-here ## You can define multiple servers # auth_ldap.servers.2 = your-other-server ## Connect to the LDAP server using TLS ## # auth_ldap.use_ssl = false ## Specify the LDAP port to connect to ## # auth_ldap.port = 389 ## LDAP connection timeout, in milliseconds or 'infinity' ## # auth_ldap.timeout = infinity ## Or a number # auth_ldap.timeout = 500 ## Enable logging of LDAP queries. ## One of ## - false (no logging is performed) ## - true (verbose logging of the logic used by the plugin) ## - network (as true, but additionally logs LDAP network traffic) ## ## Defaults to false. ## # auth_ldap.log = false ## Also can be true or network # auth_ldap.log = true # auth_ldap.log = network ## Client TLS settings for LDAP connections ## ## enables TLS for connections to the LDAP server # auth_ldap.use_ssl = true ## local filesystem path to a CA certificate bundle file # auth_ldap.ssl_options.cacertfile = /path/to/ca_certificate.pem ## local filesystem path to a client certificate file # auth_ldap.ssl_options.certfile = /path/to/client_certfile.pem ## local filesystem path to a client private key file # auth_ldap.ssl_options.keyfile = /path/to/client_key.pem ## Sets Server Name Indication for LDAP connections. ## If an LDAP server host is available via multiple domain names, set this value ## to the preferred domain name target LDAP server # auth_ldap.ssl_options.sni = ldap.identity.eng.megacorp.local ## take wildcards into account when performing hostname verification # auth_ldap.ssl_options.hostname_verification = wildcard ## enables peer certificate chain verification # auth_ldap.ssl_options.verify = verify_peer ## disables peer certificate chain verification # auth_ldap.ssl_options.verify = verify_none ## if target LDAP server does not present a certificate, should the connection be aborted? # auth_ldap.ssl_options.fail_if_no_peer_cert = true ## ## LDAP: Authentication Queries ## ## Pattern to convert the username given through AMQP to a DN before ## binding ## # auth_ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com ## Alternatively, you can convert a username to a Distinguished ## Name via an LDAP lookup after binding. See the documentation for ## full details. ## When converting a username to a dn via a lookup, set these to ## the name of the attribute that represents the user name, and the ## base DN for the lookup query. ## # auth_ldap.dn_lookup_attribute = userPrincipalName # auth_ldap.dn_lookup_base = DC=gopivotal,DC=com ## Controls how to bind for authorisation queries and also to ## retrieve the details of users logging in without presenting a ## password (e.g., SASL EXTERNAL). ## One of ## - as_user (to bind as the authenticated user - requires a password) ## - anon (to bind anonymously) ## - {UserDN, Password} (to bind with a specified user name and password) ## ## Defaults to 'as_user'. ## # auth_ldap.other_bind = as_user ## Or can be more complex: # auth_ldap.other_bind.user_dn = User # auth_ldap.other_bind.password = Password ## If user_dn and password defined - other options is ignored. ## ## LDAP: Limitations ## ## ## LDAP: Authorisation Queries ## ## The LDAP plugin can perform a variety of queries against your ## LDAP server to determine questions of authorisation. ## ## Relevant doc guide: https://www.rabbitmq.com/docs/ldap#authorisation. ## Following configuration should be defined in advanced.config file ## DO NOT UNCOMMENT THESE LINES! ## Set the query to use when determining vhost access ## ## {vhost_access_query, {in_group, ## "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}}, ## Set the query to use when determining resource (e.g., queue) access ## ## {resource_access_query, {constant, true}}, ## Set queries to determine which tags a user has ## ## {tag_queries, []} # ]}, # -----------------------------