Skip to content

RabbitMQ/oauth2 plugin doesn't pick up http_proxy and cannot fetch required keys #30

New issue
New issue
Closed
Closed
RabbitMQ/oauth2 plugin doesn't pick up http_proxy and cannot fetch required keys#30
Labels
bugSomething isn't working
@avarf

Description

@avarf
avarf
opened on Feb 1, 2024

Describe the bug

We have a stack consist of:

  • RabbitMQ (RMQ) with rabbitmq_auth_backend_oauth2 plugin enabled that fetches the keys from our Keycloak:
  {rabbitmq_auth_backend_oauth2, [
    {resource_server_id, <<"rabbitmq">>},
    {key_config, [
      {jwks_url, "${OIDC_BASE_URL}/protocol/openid-connect/certs"}
    ]}
  ]}
  • Data publisher that publishes data via AMQP to RMQ
  • Nginx that exposes an endpoint for STOMP
  • Clients that consume data via STOMP (accessing the RMQ with their JWT tokens)

Everything works in our stack in normal conditions but when we run the stack behind a corporate proxy we face the issue.

RMQ receives the connections from STOMP clients but it cannot verify the tokens since it cannot get the key from our Keycloak (because of proxy it cannot reach out).

We solved this issue for other components of our stack by setting environment variables such as http_proxy, https_proxy and no_proxy.

I passed these variables to the RMQ as below but still, it cannot parse the JWT token:

  broker:
    image: docker.io/broker:latest
    environment:
      OIDC_BASE_URL: "https://my-keycloak.io/auth/realms/my-realm"
      http_proxy: "http://1.1.1.1:8080"
      https_proxy: "http://1.1.1.1:8080"
      no_proxy: "nginx,project_mgr,localhost,127.0.0.1"
      HTTP_PROXY: "http://1.1.1.1:8080"
      HTTPS_PROXY: "http://1.1.1.1:8080"
      NO_PROXY: "nginx,project_mgr,localhost,127.0.0.1"
    ports:
      - "5672:5672"
      - "15672:15672"
      - "15674:15674"
    networks:
      - local-network

RMQ logs:

2024-01-31 14:21:17.102107+00:00 [warn] <0.2042.0> Description: "Authenticity is not established by certificate path validation"
2024-01-31 14:21:17.102107+00:00 [warn] <0.2042.0>      Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"
2024-01-31 14:21:17.102107+00:00 [warn] <0.2042.0> 
2024-01-31 14:21:25.103685+00:00 [warn] <0.2036.0> STOMP login failed for user '': authentication failed
2024-01-31 14:21:25.103845+00:00 [erro] <0.2036.0> STOMP error frame sent:
2024-01-31 14:21:25.103845+00:00 [erro] <0.2036.0> Message: "Bad CONNECT"
2024-01-31 14:21:25.103845+00:00 [erro] <0.2036.0> Detail: "Access refused for user ''\n"
2024-01-31 14:21:25.103845+00:00 [erro] <0.2036.0> Server private detail: none

So what is the solution in this case? I couldn't find that much info on how to run RMQ behind corporate proxy set aside fetching key and working with JWT.

Reproduction steps

  1. Run a RabbitMQ behind a proxy in a way that it can't access to the Keycloak
  2. Set http_proxy for RMQ
  3. Try to open a connection with the JWT token that you got from Keycloak

Expected behavior

RabbitMQ or Oauth2 plugin should pick up the http_proxy and no_proxy environment variables and use them to reach Keycloak and fetch the keys.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions