RabbitMQ .NET client behind proxy

[sslay...@googlemail.com]

Hi all,

I'm struggeling to create a connection to an external AMQP server (which is not under my or my company's control) using a RabbitMQ .NET client behind a proxy.

According to our network security guys, the proxy supports AMQP connections. However, I've got no idea on how to configure my RabbitMQ client to use it...

Can someone please give me a hint?

Best Regards

Steffen

[Karl Nilsson]

Hi,

What actual problems do you experience? We could do with a bit more details here. 

I would have thought using a proxy should be transparent to the user so you should connect to it like you would any other RabbitMQ endpoint.

Cheers

Karl

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Karl Nilsson

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

Proxy is not a single entity, there are different kinds of proxies.
With transparent TCP proxies you just need to point the client to the right port
(as the network security guys, the standard ones are documented: http://www.rabbitmq.com/networking.html).

.NET client specifically supports HTTP proxying over a TcpClient, too, but it’s a relatively rarely used feature
which was contributed without documentation guide updates :/

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[sslay...@googlemail.com]

Hi Michael,

thanks for your answer.

Currently, I'm using the following code to connect to the server:

ConnectionFactory conFactory = new ConnectionFactory();

conFactory.HostName = _settings.Server;

conFactory.Port = _settings.Port;

conFactory.UserName = _settings.ActiveCredential.Username;

conFactory.Password = _settings.ActiveCredential.Password;

conFactory.VirtualHost = _settings.VHost;

conFactory.Protocol = Protocols.DefaultProtocol;

conFactory.Ssl.CertPath = _settings.CertificateFilename;

conFactory.Ssl.CertPassphrase = _settings.CertificatePassword;

conFactory.Ssl.AcceptablePolicyErrors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors | System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch;

conFactory.Ssl.Enabled = true;

However, I'm receiving an "endpoint not reachable" when trying to connect to the server like this.

The code at hand works if I'll have the network guys set up an explicit corporate firewall rule, but our company policy has changed and now forces everyone to use the proxy if it supports the comms protocol (in this case AMQP).

Is there something I have to explicitly add to the code above to have it connect via the proxy?

Best Regards

Steffen

[Michael Klishin]

Your next steps should be

 * Clarifying with the network security guys what port *exactly* they open
 * Clarifying with them what proxy type they are talking about

[sslay...@googlemail.com]

Just asked them:

It seems they are running a HTTP proxy listening on port 8080. According to them, AMQP works with it.... Can't believe it though...

[Michael Klishin]

AMQP 0-9-1 or 1.0 only need TCP, they don’t really care for proxies or support it in special way.
*Client libraries* may or may not support connections through proxies.

By overriding ITcpClient and SockerFrameFactory you can use HTTP proxy tunnelling.

See https://github.com/rabbitmq/rabbitmq-dotnet-client/blob/master/projects/client/RabbitMQ.Client/src/client/api/ITcpClient.cs,
https://github.com/rabbitmq/rabbitmq-dotnet-client/blob/98567840f2246cb9f8bfba7871d040b91ae0e6e3/projects/client/RabbitMQ.Client/src/client/impl/SocketFrameHandler.cs#L80,
and https://github.com/rabbitmq/rabbitmq-dotnet-client/pull/115 for examples (the latter PR was partially reverted in our
4.0 client).

But it would be easier to everyone if you had a TCP proxy in place (HAproxy, AWS ELB, etc).
They are generally completely transparent to RabbitMQ clients.

On 8 December 2016 at 13:16:35, sslayer1980 via rabbitmq-users (rabbitm...@googlegroups.com) wrote:
> Just asked them:
>
> It seems they are running a HTTP proxy listening on port 8080. According to
> them, AMQP works with it.... Can't believe it though...
>
> Am Donnerstag, 8. Dezember 2016 11:03:39 UTC+1 schrieb Michael Klishin:
> >
> > Your next steps should be
> >
> > * Clarifying with the network security guys what port *exactly* they open
> > * Clarifying with them what proxy type they are talking about
> >

> > On 8 December 2016 at 13:02:20, sslayer1980 via rabbitmq-users (

[Michael Klishin]

And another relevant piece of code:
https://github.com/rabbitmq/rabbitmq-dotnet-client/blob/master/projects/client/RabbitMQ.Client/src/client/api/ConnectionFactoryBase.cs#L59

[sslay...@googlemail.com]

Turns out the "working example" was indeed using TunnelingTcpClient. It works, but as I understood, this is merely undocumented and can be considered experimental, and should not be used in a 24/7 production environment. Am I right?

[Michael Klishin]

It was removed at a later point but the interface is still in place and you can implement it.
This is certainly a novel feature that’s not particularly battle tested. That’s why we recommended
a TCP proxy instead.

On 8 December 2016 at 16:07:41, sslayer1980 via rabbitmq-users (rabbitm...@googlegroups.com) wrote:
> Turns out the "working example" was indeed using TunnelingTcpClient. It
> works, but as I understood, this is merely undocumented and can be
> considered experimental, and should not be used in a 24/7 production
> environment. Am I right?
>
> Am Donnerstag, 8. Dezember 2016 11:26:19 UTC+1 schrieb Michael Klishin:
> >
> > AMQP 0-9-1 or 1.0 only need TCP, they don’t really care for proxies or
> > support it in special way.
> > *Client libraries* may or may not support connections through proxies.
> >
> > By overriding ITcpClient and SockerFrameFactory you can use HTTP proxy
> > tunnelling.
> >
> > See
> > https://github.com/rabbitmq/rabbitmq-dotnet-client/blob/master/projects/client/RabbitMQ.Client/src/client/api/ITcpClient.cs,
> >
> >
> > https://github.com/rabbitmq/rabbitmq-dotnet-client/blob/98567840f2246cb9f8bfba7871d040b91ae0e6e3/projects/client/RabbitMQ.Client/src/client/impl/SocketFrameHandler.cs#L80,
> >
> > and https://github.com/rabbitmq/rabbitmq-dotnet-client/pull/115 for
> > examples (the latter PR was partially reverted in our
> > 4.0 client).
> >
> > But it would be easier to everyone if you had a TCP proxy in place
> > (HAproxy, AWS ELB, etc).
> > They are generally completely transparent to RabbitMQ clients.
> >
> > On 8 December 2016 at 13:16:35, sslayer1980 via rabbitmq-users (

[sslay...@googlemail.com]

Thanks Michael for your help, it's very appreciated :)

I think I'll go for direct firewall rule for the time being.