Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Proxy Protocol: How to implement via irule

We are trying to implement proxy protocol (for use with RabbitMQ AMQP) and have this irule:

when CLIENT_ACCEPTED{
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}

But keep receiving a logged error: TCL error: /Common/rabbitMQ_proxy_protocol <SERVER_CONNECTED> - Operation not supported (line 1) invoked from within "TCP::respond $proxyheader"

This page below says that TCP::respond is a valid command for SERVER_CONNECTED. Any ideas? https://devcentral.f5.com/wiki/iRules.SERVER_CONNECTED.ashx

0
Rate this Question
Comments on this Question
Comment made 26-Jul-2018 by AT 116

What are you trying to accomplish?

0
Comment made 26-Jul-2018 by Darren Walker 226

Load balance RabbitMQ cluster-it requires the proxy protocol when going through the BIGIP

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

After restarting the BIGIP we are no longer receiving the operation not supported error.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Are you load-balancing AMQP?

0
Comments on this Answer
Comment made 10-Oct-2018 by Darren Walker 226

Yes-we are using TLS1.2 on a standard virtual server port 5671. Our rabbitmq.conf has ssl.options specified as well as version TLS1.2. We have it load balancing and working now.

1
Comment made 10-Oct-2018 by AlexLP 121

Awesome! We are going to upgrade our RabbitMQ server and give that a shot. We will definitely use that tls1.2 info. Appreciate it!

Cheers!

1
Comment made 10-Oct-2018 by Darren Walker 226

This is how we configured rabbitmq.conf to get it working:

listeners.ssl.default = 5671
proxy_protocol = true
ssl_options.cacertfile = /path/to/cacert.pem
ssl_options.certfile = /path/to/cert.pem
ssl_options.keyfile = /path/to/key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.depth = 3
ssl_options.versions.1 = tlsv1.2
auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN
auth_mechanisms.3 = EXTERNAL

On the F5 appliance, create an iRule with the following contents:

when CLIENT_ACCEPTED {
set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
} 
when SERVER_CONNECTED {TCP::respond $proxyheader}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is SSL offloading on the rabbitmq server or the F5?

Thanks.

0