Forum Discussion

Darren_Walker_2's avatar
Jul 24, 2018

Proxy Protocol: How to implement via irule

We are trying to implement proxy protocol (for use with RabbitMQ AMQP) and have this irule:

when CLIENT_ACCEPTED{
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}

But keep receiving a logged error:

TCL error: /Common/rabbitMQ_proxy_protocol  - Operation not supported (line 1) invoked from within "TCP::respond $proxyheader"

This page below says that TCP::respond is a valid command for SERVER_CONNECTED. Any ideas?

https://devcentral.f5.com/wiki/iRules.SERVER_CONNECTED.ashx

  • After restarting the BIGIP we are no longer receiving the operation not supported error.

     

  • After restarting the BIGIP we are no longer receiving the operation not supported error.

     

    • Darren_Walker_2's avatar
      Darren_Walker_2
      Icon for Cirrus rankCirrus

      Yes-we are using TLS1.2 on a standard virtual server port 5671. Our rabbitmq.conf has ssl.options specified as well as version TLS1.2. We have it load balancing and working now.

       

    • AlexLP_236549's avatar
      AlexLP_236549
      Icon for Altocumulus rankAltocumulus

      Awesome! We are going to upgrade our RabbitMQ server and give that a shot. We will definitely use that tls1.2 info. Appreciate it!

       

      Cheers!

       

    • Darren_Walker_2's avatar
      Darren_Walker_2
      Icon for Cirrus rankCirrus

      This is how we configured rabbitmq.conf to get it working:

      listeners.ssl.default = 5671
      proxy_protocol = true
      ssl_options.cacertfile = /path/to/cacert.pem
      ssl_options.certfile = /path/to/cert.pem
      ssl_options.keyfile = /path/to/key.pem
      ssl_options.verify = verify_peer
      ssl_options.fail_if_no_peer_cert = false
      ssl_options.depth = 3
      ssl_options.versions.1 = tlsv1.2
      auth_mechanisms.1 = PLAIN
      auth_mechanisms.2 = AMQPLAIN
      auth_mechanisms.3 = EXTERNAL
      

      On the F5 appliance, create an iRule with the following contents:

      when CLIENT_ACCEPTED {
      set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
      } 
      when SERVER_CONNECTED {TCP::respond $proxyheader}