`--use-tls` incorrectly applied to both AMQP and Management API connections?

[falloutphil]

Thanks for a very useful package - I found a subtle edge-case bug around HTTP/HTTPS configuration of admin console vs AMQP - see below.

Summary

The --use-tls flag is incorrectly applied to both AMQP and Management API connections, making it impossible to use configurations where AMQP uses SSL but the Management API uses HTTP (a common Docker setup pattern).

Environment

• mcp-server-rabbitmq version: 2.2.0
• Python version: 3.11
• Setup: Docker RabbitMQ with mixed SSL/HTTP configuration
• OS: Linux (WSL2)

Expected Behavior

The --use-tls flag should only affect AMQP connections (via --port), while Management API connections (via --api-port) should have independent protocol detection or a separate configuration flag.

Actual Behavior

When --use-tls true is set (required for SSL AMQP connections), the Management API connection also tries to use HTTPS instead of HTTP, causing SSL connection errors:

Failed to list exchanges: HTTPSConnectionPool(host='localhost', port=15682): Max retries exceeded with url: /api/exchanges (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:992)')))

Reproduction Steps

Docker RabbitMQ Setup

Our RabbitMQ Docker configuration maps internal SSL/HTTP services to external ports:

• AMQP SSL: Internal 5671 → External 5681 (SSL/TLS)
• Management API HTTP: Internal 15672 → External 15682 (HTTP, not HTTPS)
• Web STOMP SSL: Internal 15673 → External 15683 (SSL/TLS)

Configuration That Fails

mcp-server-rabbitmq --rabbitmq-host localhost --port 5681 --api-port 15682 --username USER--password PASSWORD --use-tls true

Result:

• ✅ AMQP connection on port 5681 works correctly with SSL
• ❌ Management API connection on port 15682 fails with SSL error (tries HTTPS on HTTP port)

Manual Verification

Direct API access works perfectly:

$ curl -u USER:PASSWORD http://localhost:15682/api/exchanges
[{"name":"","type":"direct",...}] # Returns data successfully

Root Cause Analysis

In mcp_server_rabbitmq/admin.py, line 12:

def __init__(self, host: str, port: int, username: str, password: str, use_tls: bool):
    self.protocol = "https" if use_tls else "http"  # ← Problem here
    self.base_url = f"{self.protocol}://{host}:{port}/api"

The issue is that use_tls is designed for AMQP connections but is incorrectly used to determine the Management API protocol. These should be independent:

• AMQP Connection (RabbitMQConnection): Correctly uses use_tls for SSL/TLS
• Management API (RabbitMQAdmin): Incorrectly uses same use_tls flag for HTTP/HTTPS

Use Case / Why This Matters

This is a common Docker deployment pattern where:

1. AMQP uses SSL for secure message passing
2. Management API uses HTTP for admin operations (often behind reverse proxy/firewall)
3. Different security models for different protocols

Many production Docker setups separate these concerns for security and operational reasons.

Suggested Solutions

Option 1: Add separate flag

parser.add_argument("--api-use-tls", type=bool, default=None,
                   help="Use TLS/SSL for management API (auto-detect if not specified)")

Option 2: Auto-detection

Try HTTPS first, fall back to HTTP:

def __init__(self, host: str, port: int, username: str, password: str, use_tls: bool):
    # Try to auto-detect protocol for management API
    for protocol in ["https", "http"]:
        try:
            test_url = f"{protocol}://{host}:{port}/api/overview"
            response = requests.get(test_url, auth=(username, password), timeout=5)
            if response.status_code in [200, 401]:  # 401 = auth required but protocol works
                self.protocol = protocol
                break
        except:
            continue
    else:
        # Fallback to original behavior
        self.protocol = "https" if use_tls else "http"

Option 3: Separate the concerns

Split the use_tls parameter into separate flags at the argument level:

• --amqp-use-tls for AMQP connections
• --api-use-tls for Management API connections

Current Workaround

We've created a wrapper script that monkey-patches the RabbitMQAdmin class:

File: scripts/mcp_rabbitmq_wrapper.py

#!/usr/bin/env python3
"""
Wrapper script for mcp-server-rabbitmq that forces HTTP for management API
while allowing SSL for AMQP connections.

This works around the issue where Docker maps SSL AMQP to external non-SSL
but the management API is also non-SSL.
"""
import sys
import os

# Add the mcp-server-rabbitmq package to the path
sys.path.insert(0, '/home/foo/bar/venv/lib/python3.11/site-packages')

# Monkey patch the RabbitMQAdmin class to always use HTTP for management API
from mcp_server_rabbitmq import admin

original_init = admin.RabbitMQAdmin.__init__

def patched_init(self, host: str, port: int, username: str, password: str, use_tls: bool):
    # Force HTTP for management API regardless of use_tls setting
    self.protocol = "http"  # Always HTTP for management API
    self.base_url = f"{self.protocol}://{host}:{port}/api"

    import base64
    self.auth = base64.b64encode(f"{username}:{password}".encode()).decode()
    self.headers = {"Authorization": f"Basic {self.auth}", "Content-Type": "application/json"}

# Apply the patch
admin.RabbitMQAdmin.__init__ = patched_init

# Now import and run the main server
from mcp_server_rabbitmq.server import main

if __name__ == "__main__":
    main()

Usage:

# Instead of using mcp-server-rabbitmq directly:
python scripts/mcp_rabbitmq_wrapper.py --rabbitmq-host localhost --port 5681 --api-port 15682 --username USER --password PASSWORD --use-tls True

This successfully works around the issue by:

1. Allowing --use-tls True for proper AMQP SSL connections
2. Forcing HTTP protocol for Management API calls regardless of the TLS flag
3. Preserving all original functionality

Impact

This bug prevents the MCP server from working with common Docker RabbitMQ configurations that use mixed SSL/HTTP protocols. The workaround demonstrates that both protocols can work simultaneously when configured correctly.

Additional Context

• Related to issue #X where user had single HTTPS port, but this is different (mixed protocols)
• The RabbitMQConnection class correctly handles AMQP SSL via use_tls
• Only the RabbitMQAdmin class has the protocol coupling issue
• Docker RabbitMQ configurations commonly use this pattern for security/operational separation

Files Affected

• mcp_server_rabbitmq/admin.py (main issue)
• mcp_server_rabbitmq/server.py (argument parsing could be enhanced)