Re: HAProxy proxy protocol

[Lukas Tribus]

Double post on discourse, please refrain from this practice in the future!

https://discourse.haproxy.org/t/haproxy-proxy-protocol/6413/2


Thanks,
Lukas

HAProxy proxy protocol

[Nikhil]

Hi,

I have the following HAProxy (v2.0.14) setup -

Application A -> HAProxy A -> HAProxy B -> Application B

Application A & B are deployed on separate EC2 instances in AWS, with HAProxy A 
& B deployed as sidecar proxies for both the applications respectively. 
Application A is a Java springboot application, and Application B is RabbitMQ v 
3.8.x.

Sidecar proxies provide mTLS between the two application endpoints over the 
network, HAProxy B acting as TLS termination endpoint.

Below listed are HAProxy configurations deployed on both the application EC2 
instances -

Application A 

frontend rabbitmq_local_service
mode tcp
option tcplog
bind localhost:9000
default_backend rabbitmq_remote_service

backend rabbitmq_remote_service
mode tcp
option tcplog
option tcp-check
server-template SRV 10   send-proxy ssl crt 
/etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca.pem verify required check 
resolvers aws fall 2 rise 2 inter 3

Application B

frontend rabbitmq_ssl_exposed
mode tcp
option tcplog
bind ip-xxx-xxx-xxx-xxx:9010 accept-proxy ssl crt /etc/haproxy/ssl/cert.pem 
ca-file /etc/haproxy/ssl/ca.pem verify required
acl cert_from_trusted_client ssl_c_s_dn(CN) -m reg ^app1-.*$ ^app2-.*$
use_backend rabbitmq_local_service if cert_from_trusted_client

default_backend rabbitmq_local_service
mode tcp
option tcplog
server default localhost:5672 


With the above setup, I was expecting the actual/source client IP address 
associated with the EC2 instance hosting Application A will be forwarded (via 
proxy protocol header) to HAProxy B as part of the AMQP connection initiated by 
Application A, and that the actual client IP will be logged as part of the 
client connection information in RabbitMQ log file. This is by the virtue of 
“send-proxy” and “accept-proxy” directives used on the client and server side 
HAProxys respectively.

Although, there are no errors reported in either of HAProxy logs on both the 
sides or the RabbitMQ log, the connection information logged in RabbitMQ log is 
still indicating 127.0.0.1: as the client IP instead of the 
actual/source client IP. A question over here is do I also need to enable proxy 
protocol on RabbitMQ broker? The current understanding is that should not be 
required (stand to be corrected) ….

Would appreciate if the members on this mailing list can review the above 
information and highlight gaps, if any, that might be resulting in not getting 
the expected output. 

Thanks in anticipation.

Regards
Nikhil

Sent from my MacBook Pro