Feature Request: Enable SSL Authentication when using Proxy Protocol

[ssuraci]

Following this discussion on rabbitmq-user group, I propose a new feature request that allows SSL Authentication even when using Proxy Protocol. My use case is about MQTT backend but I think the feature request applies to AMQP as well.

I actually have this "standard" setup which works without problems:

MQTT CLIENT (based on PAHO C library, with client certificate) => TLS => RABBITMQ (SSL Based Auth)

RabbitMQ is configured as follows:

[{rabbit,        
           [{proxy_protocol,    false},
            {tcp_listeners,    [5672]},
            {loopback_users, ["guest", "proxyuser"]},
            {ssl_options, [
            {cacertfile, "/etc/rabbitmq/ssl/rabbitmq-ca.mqtt.test.crt"},
            {certfile,   "/etc/rabbitmq/ssl/mqtt.test.crt"},
            {keyfile,    "/etc/rabbitmq/ssl/mqtt.test.key"},
            {verify,     verify_peer},
            {fail_if_no_peer_cert, true}
                ]},
        {auth_backends, [rabbit_auth_backend_internal  ]},
        {reverse_dns_lookup, false}
]},
{rabbitmq_mqtt, [
                  {proxy_protocol,  false},
                  {allow_anonymous,  false},
                  {exchange,         <<"amq.topic">>},
                  {vhost,            <<"mqtt-test">>},
                  {subscription_ttl, 1800000},
                  {prefetch,         10},
                  {ssl_listeners,    [8883]},
                  {tcp_listeners,    [1883]},
                  {tcp_listen_options, [{backlog,   128},
                                        {nodelay,   true}]},
                  {ssl_cert_login, true},
                  {ssl_cert_login_from, common_name}

    ]
}].

Now I would like to use HAProxy as a load balancer to:

• verify client certificate
• terminate TLS connection
• load balance between different rabbitmq instances

In this case the setup is as follows:

RABBITMQ CLIENT (based on PAHO C library, with client certificate) => TLS => HA-PROXY => (PROXY-PROTOCOL, NO TLS) => RABBITMQ

In this setup:

• I enabled proxy_protocol on previous rabbitmq config
• I used this configuration for ha-proxy mqtt backend:

listen mqtt
  bind *:8883 ssl crt /usr/local/etc/haproxy/ssl/mqtt-test.pem ca-file /usr/local/etc/haproxy/ssl/rabbitmq-ca.mqtt-test.crt verify required
  mode tcp
  #Use this to avoid the connection loss when client subscribed for a topic and its idle for sometime
  option clitcpka # For TCP keep-alive
  timeout client 3h #By default TCP keep-alive interval is 2hours in OS kernal, 'cat /proc/sys/net/ipv4/tcp_keepalive_time'
  timeout server 3h #By default TCP keep-alive interval is 2hours in OS kernal
  option tcplog
  balance leastconn
  server rabbitmq_1 rabbitmq_01:1883 send-proxy-v2-ssl-cn
  server rabbitmq_2 rabbitmq_02:1883 send-proxy-v2-ssl-cn

Proxy protocol should correctly forward TLS details to RabbitMQ (thanks to this PR, but it seems that RabbitMQ does not get original client certificate CN (which is sent thanks to send-proxy-v2-ssl-cn configuration, as explained here to be used as SSL login name , infact RabbitMQ complains that:

MQTT login failed: no credentials provided

VerneMQ has an option to use client certificate CN (forwarded by proxy-protocol) as ssl login name.

So it would be nice if also RabbitMQ had a similar feature. That would probably provide a noticeable optimization as SSL handling seems to incur in a sensible performance hit.

From a security point of view, however, that feature could widen the possible attack surface of RabbitMQ as anyone with networking capabilities on ha-proxy host could handcraft a proxy-protocol packet and login to the broker pretending to be any user. Unfortunately, AFAIK proxy-protocol does not have security features, so possible countermeasures should be the hardening of ha-proxy host and properly firewalling the RabbitMQ endpoint.

[michaelklishin]

Proxy protocol simply forwards the real client IP. It does not modify the host clients connect to, nor does it alter the certificate the client may provide.

It's not obvious to me what may be missing. @lhoguin do you know?

[lukebakken]

Sorry, I should have made a note in the issue that I told @ssuraci to create it.

Here's the rabbitmq-users discussion to which he linked to catch up - https://groups.google.com/g/rabbitmq-users/c/2_yyROquQgQ

The TL;DR is that it appears that ranch supports the SSL/TLS extensions to the PROXY protocol but we don't use them. These extensions will add the client certificate's CN to the PROXY header that RabbitMQ could then use to authenticate much in the same manner as with a client certificate.

[michaelklishin]

Added this to #4609