Hi, I have the following HAProxy (v2.0.14) setup -
Application A -> HAProxy A -> HAProxy B -> Application B Application A & B are deployed on separate EC2 instances in AWS, with HAProxy A & B deployed as sidecar proxies for both the applications respectively. Application A is a Java springboot application, and Application B is RabbitMQ v 3.8.x. Sidecar proxies provide mTLS between the two application endpoints over the network, HAProxy B acting as TLS termination endpoint. Below listed are HAProxy configurations deployed on both the application EC2 instances - Application A frontend rabbitmq_local_service mode tcp option tcplog bind localhost:9000 default_backend rabbitmq_remote_service backend rabbitmq_remote_service mode tcp option tcplog option tcp-check server-template SRV 10 <rabbitmq srv record> send-proxy ssl crt /etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca.pem verify required check resolvers aws fall 2 rise 2 inter 30000 Application B frontend rabbitmq_ssl_exposed mode tcp option tcplog bind ip-xxx-xxx-xxx-xxx:9010 accept-proxy ssl crt /etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca.pem verify required acl cert_from_trusted_client ssl_c_s_dn(CN) -m reg ^app1-.*$ ^app2-.*$ use_backend rabbitmq_local_service if cert_from_trusted_client default_backend rabbitmq_local_service mode tcp option tcplog server default localhost:5672 With the above setup, I was expecting the actual/source client IP address associated with the EC2 instance hosting Application A will be forwarded (via proxy protocol header) to HAProxy B as part of the AMQP connection initiated by Application A, and that the actual client IP will be logged as part of the client connection information in RabbitMQ log file. This is by the virtue of “send-proxy” and “accept-proxy” directives used on the client and server side HAProxys respectively. Although, there are no errors reported in either of HAProxy logs on both the sides or the RabbitMQ log, the connection information logged in RabbitMQ log is still indicating 127.0.0.1:<ephemeral port> as the client IP instead of the actual/source client IP. A question over here is do I also need to enable proxy protocol on RabbitMQ broker? The current understanding is that should not be required (stand to be corrected) …. Would appreciate if the members on this mailing list can review the above information and highlight gaps, if any, that might be resulting in not getting the expected output. Thanks in anticipation. Regards Nikhil Sent from my MacBook Pro
