07. Role: Message Broker

07. Role: Message Broker (RabbitMQ)

RabbitMQ bertindak sebagai broker pesan utama menggunakan protokol AMQP, MQTT, dan WebSocket.

5.1 Instalasi Paket (Apt Quick Start)

Gunakan repository resmi Team RabbitMQ untuk mendapatkan versi terbaru dan runtime Erlang yang didukung.

5.1.1 Persiapan & Import GPG Key

## Import Team RabbitMQ's signing key
curl -1sLf "https://keys.openpgp.org/vks/v1/by-fingerprint/<RABBITMQ_GPG_FINGERPRINT>" | sudo gpg --dearmor | sudo tee /usr/share/keyrings/com.rabbitmq.team.gpg > /dev/null

5.1.2 Tambahkan Repository (Debian 13 Trixie)

sudo tee /etc/apt/sources.list.d/rabbitmq.list <<EOF
## Modern Erlang/OTP releases
deb [arch=amd64 signed-by=/usr/share/keyrings/com.rabbitmq.team.gpg] https://deb1.rabbitmq.com/rabbitmq-erlang/debian/bookworm bookworm main
deb [arch=amd64 signed-by=/usr/share/keyrings/com.rabbitmq.team.gpg] https://deb2.rabbitmq.com/rabbitmq-erlang/debian/bookworm bookworm main

## Latest RabbitMQ releases
deb [arch=amd64 signed-by=/usr/share/keyrings/com.rabbitmq.team.gpg] https://deb1.rabbitmq.com/rabbitmq-server/debian/trixie trixie main
deb [arch=amd64 signed-by=/usr/share/keyrings/com.rabbitmq.team.gpg] https://deb2.rabbitmq.com/rabbitmq-server/debian/trixie trixie main
EOF

Catatan: Erlang menggunakan repo bookworm karena merupakan basis runtime stabil yang didukung untuk Trixie.

5.1.3 Proses Instalasi

## Update package indices
sudo apt-get update -y

## Install Erlang packages
sudo apt-get install -y erlang-base \
    erlang-asn1 erlang-crypto erlang-eldap erlang-ftp erlang-inets \
    erlang-mnesia erlang-os-mon erlang-parsetools erlang-public-key \
    erlang-runtime-tools erlang-snmp erlang-ssl \
    erlang-syntax-tools erlang-tftp erlang-tools erlang-xmerl

## Install rabbitmq-server and its dependencies
sudo apt-get install rabbitmq-server -y --fix-missing

## Aktifkan Service
sudo systemctl enable --now rabbitmq-server

5.2 Firewall Rules (UFW)

Service Ports (Public Access):

Sesuai kebijakan network, protokol berikut dibuka untuk publik (0.0.0.0/0).

# AMQP / AMQPS (5672, 5671)
sudo ufw allow 5672/tcp
sudo ufw allow 5671/tcp

# MQTT / MQTTS (1883, 8883)
sudo ufw allow 1883/tcp
sudo ufw allow 8883/tcp

# STOMP / STOMPS (61613, 61614)
sudo ufw allow 61613/tcp
sudo ufw allow 61614/tcp

# SSL Certificate (Certbot Standalone)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Management Console (Restricted):

# HTTP Management (15672) & WebSocket (15675)
# Hanya izinkan dari Data Center atau Campus Wide jika diperlukan
sudo ufw allow from <YOUR_CAMPUS_SUBNET> to any port 15672 proto tcp

5.3 Konfigurasi RabbitMQ

File: /etc/rabbitmq/rabbitmq.conf

Disable Guest User: Pastikan user default guest dihapus atau dibatasi aksesnya.
Management Plugin: Batasi akses IP untuk konsol manajemen.
SSL/TLS: Gunakan sertifikat dari Certbot untuk mengamankan komunikasi.

Contoh Setup SSL dengan Certbot:

sudo certbot certonly --standalone -d broker.<YOUR_DOMAIN>

Konfigurasi di rabbitmq.conf:

ssl_options.cacertfile = /etc/letsencrypt/live/broker.<YOUR_DOMAIN>/chain.pem
ssl_options.certfile   = /etc/letsencrypt/live/broker.<YOUR_DOMAIN>/cert.pem
ssl_options.keyfile    = /etc/letsencrypt/live/broker.<YOUR_DOMAIN>/privkey.pem

5.4 Integrasi CrowdSec

Karena RabbitMQ belum memiliki koleksi resmi di Hub, kita harus mengonfigurasi akuisisi log secara manual untuk memantau upaya brute-force.

5.4.1 Konfigurasi Akuisisi Log

Buat file baru di /etc/crowdsec/acquis.d/rabbitmq.yaml:

source: file
filenames:
  - /var/log/rabbitmq/*.log
labels:
  type: rabbitmq

5.4.2 Penerapan & Verifikasi

Restart CrowdSec:
```
sudo systemctl restart crowdsec
```
Cek Ingest Log: Pastikan CrowdSec membaca file log RabbitMQ.
```
sudo cscli metrics
```
Debugging (Opsional): Gunakan perintah ini jika ingin mengecek bagaimana CrowdSec mengurai log tertentu:
```
sudo cscli explain --file /var/log/rabbitmq/rabbit@<hostname>.log --type rabbitmq
```