Forum Discussion

Darren_Walker_2's avatar
Darren_Walker_2
Icon for Cirrus rankCirrus
Jul 24, 2018

Proxy Protocol: How to implement via irule

We are trying to implement proxy protocol (for use with RabbitMQ AMQP) and have this irule:

when CLIENT_ACCEPTED{
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}

But keep receiving a logged error: 

TCL error: /Common/rabbitMQ_proxy_protocol  - Operation not supported (line 1) invoked from within "TCP::respond $proxyheader"

This page below says that TCP::respond is a valid command for SERVER_CONNECTED. Any ideas? 

https://devcentral.f5.com/wiki/iRules.SERVER_CONNECTED.ashx

application delivery
iRules
LTM
  • Darren_Walker_2's avatar
    Darren_Walker_2
    Jul 26, 2018

    After restarting the BIGIP we are no longer receiving the operation not supported error.

     

  • Darren_Walker_2's avatar
    Darren_Walker_2
    Icon for Cirrus rankCirrus
    Jul 26, 2018

    After restarting the BIGIP we are no longer receiving the operation not supported error.

     

    • Darren_Walker_2's avatar
      Darren_Walker_2
      Icon for Cirrus rankCirrus
      Oct 10, 2018

      Yes-we are using TLS1.2 on a standard virtual server port 5671. Our rabbitmq.conf has ssl.options specified as well as version TLS1.2. We have it load balancing and working now.

       

    • AlexLP_236549's avatar
      AlexLP_236549
      Icon for Altocumulus rankAltocumulus
      Oct 10, 2018

      Awesome! We are going to upgrade our RabbitMQ server and give that a shot. We will definitely use that tls1.2 info. Appreciate it!

       

      Cheers!

       

    • Darren_Walker_2's avatar
      Darren_Walker_2
      Icon for Cirrus rankCirrus
      Oct 10, 2018

      This is how we configured rabbitmq.conf to get it working:

      listeners.ssl.default = 5671
proxy_protocol = true
ssl_options.cacertfile = /path/to/cacert.pem
ssl_options.certfile = /path/to/cert.pem
ssl_options.keyfile = /path/to/key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.depth = 3
ssl_options.versions.1 = tlsv1.2
auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN
auth_mechanisms.3 = EXTERNAL

      On the F5 appliance, create an iRule with the following contents:

      when CLIENT_ACCEPTED {
set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
} 
when SERVER_CONNECTED {TCP::respond $proxyheader}