Secure rabbitmq connections with HAProxy

The problem here is to make a rabbitmq server run behind HAProxy and use ssl for connecting from the internet to HAProxy. So, the proxy serves as the endpoint for ssl connections and from there onward, the connection with rabbitmq are without ssl.

Internet <—–ssl—–> HAProxy <—-no-ssl—-> rabbitmq(server and admin)

Also, we run rabbitmq here inside a docker container.

Step 1 Installing HAProxy: The following steps should install HAProxy 1.5  on your system, assuming it is some version on ubuntu.

Step 2 Start rabbitmq: Since docker hub already has an image for rabbitmq, we don’t need to install/configure anything and we can use the default image from HERE. Boot up the server: “$ docker run -d -p 5672:5672 -p 15672:15672 dockerfile/rabbitmq” and its done. Running “$ docker ps” should show the rabbitmq container up and running.

We’ll need the IP Address of the running container to route the incoming requests. Running this command should give the IP: “$ docker inspect | grep IPA”

Step 3 HAProxy: I’m using HAProxy version 1.5.9. We’ll first make the setup work without ssl and then introduce the ssl part. The configuration is pretty basic

line 20: the ‘frontend’ section is named ‘rabbitmq-server’. You can name it anything else

line 21: haproxy listens on port 5672 on all the interfaces

line 22: all incoming requests, on port 5672 are routed to the backend named “rabbitmq_backend”

line 26: rabbitmq_backend redirects any requests it received to the provided address “:5672”. You’ll need to replace the “container_ip with the IP Address of the rabbitmq container from Step 1

After placing this file in /etc/haproxy/haproxy.cfg, and restarting the server with “$ sudo service haproxy restart” , all the incoming connections on port 5672 must be redirected to the rabbitmq server.

You can check this by doing the following on console. After the telnet command you should press ‘enter’ a few times to see the Amqp message.

Step 4 Enabling ssl for connections to HAProxy: First we need to generate the ssl certificate to be used. Use the following commands to generate a certificate and a key. After that you’ll need a pem file which is just the certificate and key concatenated in a file.

Once you’ve got the pem file, there’s just one line change you need to make to use that in HAProxy config. Change the line 21 from “bind *:5672” to “bind *:5672 ssl crt /etc/haproxy/ssl1/haproxy.pem” and restart haproxy server.

That’s about it. We now have an secure HAProxy endpoint for incoming rabbitmq requests.

You can enable the rabbitmq management ui in the same way by adding another “fontend” section to listen for incoming requests on 15672 port and a “backend” section to redirect those requests to the backend rabbitmq management ui.

PS: For all available HAProxy configuration options, read the docs HERE.

Share Comments
comments powered by Disqus