Configuring F5 LTM to support Proxy Protocol for v3.7.0+

2,119 views
Skip to first unread message

Jared Kauppila

unread,
Mar 12, 2017, 11:05:19 PM3/12/17
to rabbitmq-users

Proxy Protocol is an Internet protocol used to carry connection information from the source requesting the connection to the destination for which the connection was requested. Elastic Load Balancing uses Proxy Protocol version 1, which uses a human-readable header format.

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html

With the addition of Proxy Protocol in v3.7.0, if you front your RabbitMQ instances with a load balancer technology (F5 LTM, HAProxy, AWS ELB, etc) we can now see the originating client connection information rather than the the appliance information!

GitHub issue: rabbitmq-server#589

To enable this support on an F5 LTM, perform the following steps:

Enable proxy_protocol on your RabbitMQ instances.

{rabbit,[
     {proxy_protocol, true}
]}

On the F5 appliance, create an iRule with the following contents:

when CLIENT_ACCEPTED {
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}

when SERVER_CONNECTED {
    TCP::respond $proxyheader
}


https://devcentral.f5.com/codeshare/proxy-protocol-initiator


Apply this iRule to your AMQP Virtual Server(s). Note, this does require a TCP profile to be applied, so a 'Standard' Virtual Server will need to be used.


That's it! You should now see your client connection information!


Without Proxy Protocol enabled

(This IP is within the snat pool on the virtual server)




With Proxy Protocol enabled
(This it the clients actual IP address)


Auto Generated Inline Image 1
Auto Generated Inline Image 2

Michael Klishin

unread,
Mar 13, 2017, 2:11:38 AM3/13/17
to rabbitm...@googlegroups.com
Fantastic, thank you!

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
MK

Staff Software Engineer, Pivotal/RabbitMQ
Reply all
Reply to author
Forward
0 new messages