Yes, it can be done. we currently operate just below the thousands of βconsumersβ who connect to our brokers over the Internet.
As for the insecurity of traffic over the Internet, I do not completely agree:
disclosing a web service is as risky as viewing a broker. In the end, you are never 100% sure that your own code or code or the underlying application (Apache CXF, Webserver, application server, database server, message broker) contains flaws that can pose a security risk. Secondly, HTTP is just like TCP traffic as is ActiveMQ (Stomp or openwire protocol)
Thus, you can take all measures to minimize the risk.
we did the following:
User and password required to connect to the broker (ActiveMQ supports a wide range of authentication solutions, and you can download them yourself)
Switch the port to a different number, so discovery is harder
if you have control over consumers, use IP filters in the firewall so that ip can connect to the broker (unfortunately, in our case this was not possible)
encrypt your messages
We have added application level authentication using a token. Thus, each message is authenticated in our own application.
-> if all of them are implemented, I think that you are quite safe and as a bonus you do not need an additional level of web services (if this application needs to be scaled, you will need to scale your web services equally using brokers.