E
E
emashev2019-09-19 20:18:56
Python
emashev, 2019-09-19 20:18:56

How to connect to rabbitmq behind ssl proxy?

Greetings, there are 3 nodes with rabbitmq, the documentation describes the possibility of terminating ssl.

Use a proxy or load balancer (such as HAproxy) to perform TLS termination of client connections and use plain TCP connections to RabbitMQ nodes.

I created a self-signed certificate and a tcp proxy for connections not only to haproxy, but to nginx.
stream {

    upstream rabbitmq {
        server rabbit01:5672;
        server rabbit02:5672;
        server rabbit03:5672;
    }

        server {
        listen        25672 ssl;
        proxy_pass    rabbitmq;
        ssl_certificate        /etc/nginx/ssl/rabbitmq/server.crt;
        ssl_certificate_key    /etc/nginx/ssl/rabbitmq/server.key;
        ssl_session_cache shared:SSL1:10m;
        ssl_session_timeout 4h;
    }

}

I found an example on gihab how to connect via python.
If you proxy without ssl, then it connects, with ssl - no.
I don't understand well enough how rabbit connects via ssl. Should the client know about certificates?
Or is it enough to specify a line somewhere that this is an ssl connection?
An example of an error if you climb on an ssl proxy through a python script, where ssl is not specified.
It can be seen that the client does not understand the protocol.
C:\Python>C:\Python\Python37-32\python.exe C:\python\mq-send.py
INFO       2019-09-19 18:08:54,277 __main__                       connect                              32  : Connecting to: amqp://admin:admin@rabbit.proxy01.int:25672/
INFO       2019-09-19 18:08:54,308 pika.adapters.utils.connection_workflow start                                179 : Pika version 1.1.0 connecting to ('172.16.1.6', 25672)
INFO       2019-09-19 18:08:54,324 pika.adapters.utils.io_services_utils _on_writable                         345 : Socket connected: <socket.socket fd=636, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.168.1.124', 58513), raddr=('172.16.1.6', 25672)>
INFO       2019-09-19 18:08:54,324 pika.adapters.utils.connection_workflow _on_transport_establishment_done     428 : Streaming transport linked up: (<pika.adapters.utils.io_services_utils._AsyncPlaintextTransport object at 0x03294770>, _StreamingProtocolShim: <SelectConnection PROTOCOL transport=<pika.adapters.utils.io_services_utils._AsyncPlaintextTransport object at 0x03294770> params=<URLParameters host=rabbit.proxy01.int port=25672 virtual_host=/ ssl=False>>).
ERROR      2019-09-19 18:08:54,324 pika.adapters.utils.io_services_utils _consume                             796 : Socket EOF; <socket.socket fd=636, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.168.1.124', 58513), raddr=('172.16.1.6', 25672)>
ERROR      2019-09-19 18:08:54,324 pika.adapters.base_connection  _proto_eof_received                  445 : Transport indicated EOF.
INFO       2019-09-19 18:08:54,324 pika.adapters.utils.io_services_utils _on_socket_readable                  1058: protocol.eof_received() elected to close: <socket.socket fd=636, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.168.1.124', 58513), raddr=('172.16.1.6', 25672)>
INFO       2019-09-19 18:08:54,324 pika.adapters.utils.io_services_utils _initiate_abort                      907 : _AsyncTransportBase._initate_abort(): Initiating abrupt asynchronous transport shutdown: state=1; error=None; <socket.socket fd=636, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.168.1.124', 58513), raddr=('172.16.1.6', 25672)>
INFO       2019-09-19 18:08:54,339 pika.adapters.utils.io_services_utils _deactivate                          870 : Deactivating transport: state=1; <socket.socket fd=636, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.168.1.124', 58513), raddr=('172.16.1.6', 25672)>
ERROR      2019-09-19 18:08:54,339 pika.adapters.base_connection  _proto_connection_lost               429 : connection_lost: StreamLostError: ('Transport indicated EOF',)
INFO       2019-09-19 18:08:54,339 pika.connection                _on_stream_terminated                1999: AMQP stack terminated, failed to connect, or aborted: opened=False, error-arg=StreamLostError: ('Transport indicated EOF',); pending-error=None
ERROR      2019-09-19 18:08:54,339 pika.connection                _on_stream_terminated                2027: Probably incompatible Protocol Versions
INFO       2019-09-19 18:08:54,339 pika.connection                _on_stream_terminated                2061: Connection setup terminated due to IncompatibleProtocolError: The protocol returned by the server is not supported: ("StreamLostError: ('Transport indicated EOF',)",)
ERROR      2019-09-19 18:08:54,339 pika.adapters.utils.connection_workflow _report_completion_and_cleanup       291 : AMQPConnector - reporting failure: AMQPConnectorAMQPHandshakeError: IncompatibleProtocolError: The protocol returned by the server is not supported: ("StreamLostError: ('Transport indicated EOF',)",)
ERROR      2019-09-19 18:08:54,339 pika.adapters.utils.connection_workflow _start_new_cycle_async               746 : AMQP connection workflow failed: AMQPConnectionWorkflowFailed: 1 exceptions in all; last exception - AMQPConnectorAMQPHandshakeError: IncompatibleProtocolError: The protocol returned by the server is not supported: ("StreamLostError: ('Transport indicated EOF',)",); first exception - None.
ERROR      2019-09-19 18:08:54,355 pika.adapters.utils.connection_workflow _report_completion_and_cleanup       723 : AMQPConnectionWorkflow - reporting failure: AMQPConnectionWorkflowFailed: 1 exceptions in all; last exception - AMQPConnectorAMQPHandshakeError: IncompatibleProtocolError: The protocol returned by the server is not supported: ("StreamLostError: ('Transport indicated EOF',)",); first exception - None
INFO       2019-09-19 18:08:54,355 pika.adapters.utils.io_services_utils _close_and_finalize                  883 : Closing transport socket and unlinking: state=3; <socket.socket fd=636, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.168.1.124', 58513), raddr=('172.16.1.6', 25672)>
ERROR      2019-09-19 18:08:54,355 pika.adapters.blocking_connection _create_connection                   449 : Connection workflow failed: AMQPConnectionWorkflowFailed: 1 exceptions in all; last exception - AMQPConnectorAMQPHandshakeError: IncompatibleProtocolError: The protocol returned by the server is not supported: ("StreamLostError: ('Transport indicated EOF',)",); first exception - None
ERROR      2019-09-19 18:08:54,355 pika.adapters.blocking_connection _create_connection                   456 : Error in _create_connection().

Here is the script I found - with ssl support:
https://help.compose.com/docs/python-and-rabbitmq
#!/usr/bin/env python
import pika
import sys
import ssl

# connection string and initialization
parameters = pika.URLParameters('amqps://admin:[email protected]:25672/')
parameters.ssl = True
parameters.ssl_options = dict(ssl_version=ssl.PROTOCOL_TLSv1_2)


connection = pika.BlockingConnection(parameters)
channel = connection.channel()
connection = pika.BlockingConnection(parameters)
channel = connection.channel()

message='This is not a message, this is a pythonic tribute to a message'
my_routing_key='tributes'
exchange_name='postal'

channel.exchange_declare(exchange=exchange_name,
                         exchange_type='direct',
                         durable=True)


channel.basic_publish(exchange=exchange_name,
                      routing_key=my_routing_key,
                      body=message)

channel.close()
connection.close()

But it doesn't work.
File "C:\python\mq-send.py", line 8, in
parameters.ssl = True
AttributeError: 'URLParameters' object has no attribute 'ssl'

How is it possible to connect to rabbitmq via ssl using termination?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
S
Sergey, 2019-09-19
@emashev

I believe that the last error is simply related to the difference in Pika versions, try to specify all the parameters for `pika.URLParameters` through the string and do not modify `parameters` manually after.
About certificates: if you just need a TLS connection, then the client should not need certificates, but if the authenticity of the server (and client) is determined by certificates, then in this case the client needs them. Example from documentation .

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question