# Auth server config

auth_backends.1             = cache

auth_cache.cached_backend   = http
auth_cache.cache_ttl        = 5000

auth_http.user_path         = http://revproxy/api/v1/rmq/user
auth_http.vhost_path        = http://revproxy/api/v1/rmq/vhost
auth_http.resource_path     = http://revproxy/api/v1/rmq/resource
auth_http.topic_path        = http://revproxy/api/v1/rmq/topic

listeners.ssl.default = 5671

# generated with "cat server.crt server.key > server.pem"
# fullchain
ssl_options.cacertfile = /etc/rabbitmq/ssl/rabbit.fullchain.pem 

ssl_options.certfile   = /etc/rabbitmq/ssl/rabbit.crt
ssl_options.keyfile    = /etc/rabbitmq/ssl/rabbit.key

# not very secure
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = false

# for TLS version and cipher
ssl_options.versions.1 = tlsv1.2

# these MUST be disabled if TLSv1.3 is used
ssl_options.honor_cipher_order   = true
ssl_options.honor_ecc_order      = true

# These are highly recommended for TLSv1.2 but cannot be used
# with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed.
ssl_options.client_renegotiation = false
ssl_options.secure_renegotiate   = true

ssl_options.ciphers.1  = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2  = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3  = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.4  = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.5  = DHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.6  = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.7  = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.8  = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.9  = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.10 = ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.11 = DHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.12 = DHE-DSS-AES128-GCM-SHA256

management.load_definitions = /opt/definitions.json

# For connection events
event_exchange.vhost = devices