Hi,
I have the following HAProxy (v2.0.14) setup -
Application A -> HAProxy A -> HAProxy B -> Application B
Application A & B are deployed on separate EC2 instances in AWS, with HAProxy A
& B deployed as sidecar proxies for both the applications respectively.
Application A is a Java springboot application, and Application B is RabbitMQ v
3.8.x.
Sidecar proxies provide mTLS between the two application endpoints over the
network, HAProxy B acting as TLS termination endpoint.
Below listed are HAProxy configurations deployed on both the application EC2
instances -
Application A
frontend rabbitmq_local_service
mode tcp
option tcplog
bind localhost:9000
default_backend rabbitmq_remote_service
backend rabbitmq_remote_service
mode tcp
option tcplog
option tcp-check
server-template SRV 10 send-proxy ssl crt
/etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca.pem verify required check
resolvers aws fall 2 rise 2 inter 3
Application B
frontend rabbitmq_ssl_exposed
mode tcp
option tcplog
bind ip-xxx-xxx-xxx-xxx:9010 accept-proxy ssl crt /etc/haproxy/ssl/cert.pem
ca-file /etc/haproxy/ssl/ca.pem verify required
acl cert_from_trusted_client ssl_c_s_dn(CN) -m reg ^app1-.*$ ^app2-.*$
use_backend rabbitmq_local_service if cert_from_trusted_client
default_backend rabbitmq_local_service
mode tcp
option tcplog
server default localhost:5672
With the above setup, I was expecting the actual/source client IP address
associated with the EC2 instance hosting Application A will be forwarded (via
proxy protocol header) to HAProxy B as part of the AMQP connection initiated by
Application A, and that the actual client IP will be logged as part of the
client connection information in RabbitMQ log file. This is by the virtue of
“send-proxy” and “accept-proxy” directives used on the client and server side
HAProxys respectively.
Although, there are no errors reported in either of HAProxy logs on both the
sides or the RabbitMQ log, the connection information logged in RabbitMQ log is
still indicating 127.0.0.1: as the client IP instead of the
actual/source client IP. A question over here is do I also need to enable proxy
protocol on RabbitMQ broker? The current understanding is that should not be
required (stand to be corrected) ….
Would appreciate if the members on this mailing list can review the above
information and highlight gaps, if any, that might be resulting in not getting
the expected output.
Thanks in anticipation.
Regards
Nikhil
Sent from my MacBook Pro