Forum Discussion

Darren_Walker_2's avatar
Darren_Walker_2
Icon for Cirrus rankCirrus
Jul 24, 2018

Proxy Protocol: How to implement via irule

We are trying to implement proxy protocol (for use with RabbitMQ AMQP) and have this irule: when CLIENT_ACCEPTED{ set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TC...
application delivery
iRules
LTM
  • Darren_Walker_2's avatar
    Darren_Walker_2
    Jul 26, 2018

    After restarting the BIGIP we are no longer receiving the operation not supported error.

     

AlexLP_236549's avatar
AlexLP_236549
Icon for Altocumulus rankAltocumulus
Oct 10, 2018

Are you load-balancing AMQP?

 

  • Darren_Walker_2's avatar
    Darren_Walker_2
    Icon for Cirrus rankCirrus
    Oct 10, 2018

    Yes-we are using TLS1.2 on a standard virtual server port 5671. Our rabbitmq.conf has ssl.options specified as well as version TLS1.2. We have it load balancing and working now.

     

  • AlexLP_236549's avatar
    AlexLP_236549
    Icon for Altocumulus rankAltocumulus
    Oct 10, 2018

    Awesome! We are going to upgrade our RabbitMQ server and give that a shot. We will definitely use that tls1.2 info. Appreciate it!

     

    Cheers!

     

  • Darren_Walker_2's avatar
    Darren_Walker_2
    Icon for Cirrus rankCirrus
    Oct 10, 2018

    This is how we configured rabbitmq.conf to get it working:

    listeners.ssl.default = 5671
proxy_protocol = true
ssl_options.cacertfile = /path/to/cacert.pem
ssl_options.certfile = /path/to/cert.pem
ssl_options.keyfile = /path/to/key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.depth = 3
ssl_options.versions.1 = tlsv1.2
auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN
auth_mechanisms.3 = EXTERNAL

    On the F5 appliance, create an iRule with the following contents:

    when CLIENT_ACCEPTED {
set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
} 
when SERVER_CONNECTED {TCP::respond $proxyheader}