Support for PROXY protocol (ELB, HAproxy, etc) #589
Comments
|
From what I see in the docs, it would require client library modifications. I'm afraid we can't do it for every client library and every protocol we support. |
|
@michaelklishin It doesn't require any client library modifications, it's only server side in the communication between loadbalancer -> backend, the client -> loadbalancer connection doesn't include any modification in how the connection works. It would prevent a client from directly connecting to the server, although you could delegate how the connection is handled based on the actual source IP of the connection, configure |
|
It should be a server option, eg. |
|
Yes, no client lib modification is required, this is a server-side-only thing. http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt The server has to be configured to be behind a proxy and then accept the PROXY protocol, otherwise the IP could be spoofed, if any client could connect. From the spec: (And this is not ELB only, HAProxy, Nginx, Stunnel, Stud etc all implement the PROXY protocol) |
|
Has there been anymore discussion about this feature? I think this would be really useful for those of us running Rabbits behind any kind of proxy. |
|
@williamsandrew not on our team. I trust @carlhoerberg's judgement that no client modifications will be necessary. We will consider this for |
michaelklishin
changed the title
WIP References rabbitmq/rabbitmq-server#589
|
We have a working prototype, looks like this can go into |
|
We have contributed a couple of fixes upstream and they were accepted, this is approaching the finish line. |
|
PRs for AMQP 0-9-1, MQTT, STOMP are merged. AMQP 1.0 is left to be done. |
Fixes #44 References rabbitmq/rabbitmq-server#589
Set copyright year to 2017, add rabbit_ct_helpers:testcase_started() call. References #589
Add call to rabbit_ct_helpers:testcase_started. References rabbitmq/rabbitmq-server#589
Add license header, add call to rabbit_ct_helpers:testcase_started. References rabbitmq/rabbitmq-server#589
|
I am not skilled with the proxy protocol. Will this work with F5 LTM (local traffic manager, a.k.a. the load balancer/IP-sprayer)? |
|
@uvzubovs At a preliminary glance it looks like you can use an iRule on the Virtual Server to implement Proxy Protocol v1; but there isn't anything baked into the appliance to enable the functionality. |
|
At this point the Proxy Protocol is supported by enough popular vendors/projects (from HAproxy and Nginx to AWS ELB) that it's on F5 to add support to their products. @jakauppila thank you, your input is very helpful as always. May I ask you to share a small example, either here or on rabbitmq-users? :) I'd happily add a note for F5 users to our docs. |
|
How would this work with client auth SSL? Proxy needs to terminate SSL to add client info to the connect frame, but it does not have client's SSL cert when connecting to Rabbit; it will present it's own. Will Rabbit's client auth SSL logic be updated to recognize certain client SSL cert as that of a proxy, and so then get the true client SSL cert name from the client info in the connect frame? |
|
Not all proxies terminate TLS. This protocol sends a bit of data before any other protocol-specific data, at that point TLS upgrade has been completed. The protocol only relays some basic client information such as the real IP address. No certificate information is exchanged and the goal of this issue is to only obtain the real IP address, nothing else. |
This is a feature request to add support for ELB proxy protocol
Last year there were few people who expressed interest in this feature.
https://groups.google.com/forum/#!searchin/rabbitmq-users/ELB$20proxy$20protocol/rabbitmq-users/bZbPDrTrnoc/6JcsR3VxC4oJ
More about ELB Proxy Protocol
http://aws.amazon.com/about-aws/whats-new/2013/07/30/elastic-load-balancing-now-supports-proxy-protocol/
Thanks & regards
m
The text was updated successfully, but these errors were encountered: