RabbitMQ connection through Nginx

Asked 30/4, 2014 at 23:9 Answered 20/1, 2023 at 18:9

I am trying to setup rabbitmq it can be accessed externally (from non-localhost) through nginx.

nginx-rabbitmq.conf:

server {
    listen       5672;
    server_name  x.x.x.x;
    location / {
        proxy_pass http://localhost:55672/;
    }
}

rabbitmq.conf:

[
 {rabbit,
  [
   {tcp_listeners, [{"127.0.0.1", 55672}]}
  ]
 }
]

By default guest user can only interact from localhost, so we need to create another user with required permissions, like so:

sudo rabbitmqctl add_user my_user my_password
sudo rabbitmqctl set_permissions my_user ".*" ".*" ".*"

However, when I attempt a connection to rabbitmq through pika I get ConnectionClosed exception

import pika
credentials = pika.credentials.PlainCredentials('my_username', 'my_password')
pika.BlockingConnection(
    pika.ConnectionParameters(host=ip_address, port=55672, credentials=credentials)
)

--[raises ConnectionClosed exception]--

If I use the same parameters but change host to localhost and port to 5672 then I connect ok: pika.ConnectionParameters(host=ip_address, port=55672, credentials=credentials)

I have opened port 5672 on the GCE web console, and communication through nginx is happening: nginx access.log file shows

[30/Apr/2014:22:59:41 +0000] "AMQP\x00\x00\x09\x01" 400 172 "-" "-" "-"

Which shows a 400 status code response (bad request).

So by the looks the request fails when going through nginx, but works when we request rabbitmq directly.

Has anyone else had similar problems/got rabbitmq working for external users through nginx? Is there a rabbitmq log file where I can see each request and help further troubleshooting?

Chilli answered 30/4, 2014 at 23:9 Comment(0)

You have configured nginx as an HTTP reverse proxy, however rabbitmq is configured to use the AMQP protocol (see description of tcp_listeners at https://www.rabbitmq.com/configure.html)

In order for nginx to do anything meaningful you will need to reconfigure rabbitmq to use HTTP - for example http://www.rabbitmq.com/web-stomp.html.

Of course, this may have a ripple effect because any clients that are accessing rabbitmq via AMQP must be reconfigured/redesigned to use HTTP.

Theresita answered 1/5, 2014 at 1:3 Comment(4)

thanks. is it possible to configure nginx to use ampq protocol? I tried using proxy_pass ampq://localhost:55672/, but nging complained that url was invalid. – Chilli 1/5, 2014 at 8:40

See nginx.com. It supports HTTP, POP and IMAP by default. There is a list of 3rd party modules but I do not see any for rabbitmq/amqp. – Theresita 1/5, 2014 at 12:11

STOMP it is then, thanks. seems like quite an oversight not being able to do AMQP stuff from an external domain via nginx. someone with C skills should make a module :). – Chilli 1/5, 2014 at 13:25

dont use HTTP with rabbitmq. its limited on message size – Buchbinder 24/10, 2018 at 15:11

Since nginx 1.9 there is stream module for the tcp or udp (not compiled with by default).

I configured my nginx (1.13.3) with ssl stream

stream {
    upstream rabbitmq_backend {
        server rabbitmq.server:5672
    }

    server {
        listen      5671 ssl;

        ssl_protocols           TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers             RC4:HIGH:!aNULL:!MD5;
        ssl_handshake_timeout   30s;

        ssl_certificate       /path/to.crt;
        ssl_certificate_key   /path/to.key;

        proxy_connect_timeout 1s;
        proxy_pass rabbitmq_backend;
    }
}

https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/

Insufficiency answered 6/7, 2018 at 11:25 Comment(3)

This is really nice and was able to help me! However, is there a way to include this inside your sites-enabled section? (Since normally these files are included in the http {...} block of the config, that does not allow stream {...}? – Bah 4/11, 2018 at 13:3

Works perfectly. I also make some tunning of your configuration gist.github.com/mPanasiewicz/e7ae1c60d13ab34fe57d78f26747f6e6 – Schrecklichkeit 18/5, 2020 at 15:0

Has anyone tried this with letsencrypt ? I am using my certificates from letsencrypt and getting an UNABLE_TO_VERIFY_LEAF_SIGNATURE error. I can confirm that it is proxying correctly, just not with actual ssl. – Merissameristem 22/6, 2020 at 4:5

You have configured nginx as an HTTP reverse proxy, however rabbitmq is configured to use the AMQP protocol (see description of tcp_listeners at https://www.rabbitmq.com/configure.html)

In order for nginx to do anything meaningful you will need to reconfigure rabbitmq to use HTTP - for example http://www.rabbitmq.com/web-stomp.html.

Of course, this may have a ripple effect because any clients that are accessing rabbitmq via AMQP must be reconfigured/redesigned to use HTTP.

Theresita answered 1/5, 2014 at 1:3 Comment(4)

thanks. is it possible to configure nginx to use ampq protocol? I tried using proxy_pass ampq://localhost:55672/, but nging complained that url was invalid. – Chilli 1/5, 2014 at 8:40

See nginx.com. It supports HTTP, POP and IMAP by default. There is a list of 3rd party modules but I do not see any for rabbitmq/amqp. – Theresita 1/5, 2014 at 12:11

STOMP it is then, thanks. seems like quite an oversight not being able to do AMQP stuff from an external domain via nginx. someone with C skills should make a module :). – Chilli 1/5, 2014 at 13:25

dont use HTTP with rabbitmq. its limited on message size – Buchbinder 24/10, 2018 at 15:11

You can try and proxy to tcp, installing a tcp-proxy module for nginx to work with AMQP.

https://github.com/yaoweibin/nginx_tcp_proxy_module

Give it a go.

Deandreadeane answered 9/10, 2014 at 9:14 Comment(0)

Nginx was originally only HTTP server, I also suggest looking into that above referred tcp proxy module, but if you would like to have proven load-balancer which is general TCP reverse proxy (not just HTTP, but can handle any protocol in general), you might consider using HAproxy.

Slant answered 15/4, 2017 at 18:12 Comment(0)

since amqp is on tcp/udp level you need to configure nginx for tcp/udp connection https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer

Kim answered 13/7, 2021 at 20:33 Comment(0)

I might be late to the party, but I am very much sure that my article will surely help a lot of people in the upcoming days.

In the article I have explained how to install Letsencrypt certificate for RabbitMQ Management GUI with NGINX as reverse proxy on Port: 15672 which runs on HTTP protocol.

I have also used the same SSL certificates to power up the RabbitMQ Server that runs on AMQP protocol.

Kindly go through the following article for detailed description:

https://stackcoder.in/posts/install-letsencrypt-ssl-certificate-for-rabbitmq-server-and-rabbitmq-management-tool

NOTE: Don't configure RabbitMQ Server running on port 5672 as a reverse proxy. Even if you do then kindly use NGINX streams. But I highly recommend sticking with adding certificate paths in rabbitmq.conf file as RabbitMQ works on TCP/UDP

Thou answered 20/1, 2023 at 18:9 Comment(0)

Recommended topics

Hot tags