Cannot view Real IP while using a Proxy and rabbitmq_auth_backend_http

[fdestefano]

Is your feature request related to a problem? Please describe.

Currently if you use rabbitmq_auth_backend_http, you will only receive the IP of the Proxy/LB(HAProxy in my case). There are no other params or Headers that can be used to view the Real IP.
Plugin does not mention the ability to do with a proxy.
If not this is not possible, is there a way that the Real IP can be used in the authentication process?

Describe the solution you'd like

Be able to view Real IP if the proxy protocol is enabled.

Describe alternatives you've considered

No response

Additional context

No response

[michaelklishin]

@fdestefano you will need to use a Proxy Protocol-enabled proxy and make your HTTP apps support it.

You cannot make Proxy Protocol support optional, once enabled, all clients (proxies) must use it or such requests should be rejected per protocol spec.

I cannot think of anything around Proxy Protocol that the plugin should support. If you can think of something, please go ahead and investigate what it would take to implement that. This won't be a priority for our team any time soon.

[fdestefano]

For clarification, HAProxy has been setup to use Proxy-protocol. The console works fine. I am also seeing the correct IP. Would the backend service I am using to authenticate need to support proxy-protocol also?

[michaelklishin]

@fdestefano that's sort of the point. The service clients connect to via a compatible proxy must support the same protocol, just like RabbitMQ does for proxied client connections.

[fdestefano]

I am not seeing any of the PROXY headers being passed to the backend service while using the rabbitmq_auth_backend_http
Here is an example of the query url and the req/resp headers

/auth/vhost query parameters: /auth/vhost?username=abc-123465&vhost=abc&ip=%3A%3Affff%3A10.1.224.12&tags=
map[Connection:[keep-alive] Content-Length:[0] Host:[rabbitmq-auth-go-svc:80] Te:[]]
map[Content-Type:[text/plain; charset=utf-8]]

The IP 10.1.224.12 is the given loadbalancer private address and not the client.

[lukebakken]

I've kept an eye on this discussion, but haven't chimed in yet. Just so I understand -

• You have your client applications configured to use proxy protocol, and you have enabled it in RabbitMQ.
• You have configured HAProxy to use proxy protocol.
• When a client application connects to RabbitMQ, you see the client's IP in the log file, not the load balancer (please confirm this!)

The best way to continue is for you to help us - provide a git repository containing a docker compose (or similar project) that sets up an environment the same way as yours - client app, proxy, RabbitMQ, and HTTP auth backend. That would save me hours of work that I could be using to look into this issue.

My guess is that RabbitMQ does not have support for this, but it may be relatively easy to add.

[fdestefano]

I will work on getting a repo that you can see a similar infra.

• From my understanding here, clients do not need any changes.
• I do have send-proxy set up on all of the backend nodes.
• Yes, I have can confirm that I am seeing the correct IP in the rabbitmq logs.

[fdestefano]

I finally able to continue with this and I am not seeing proxy protocol headers being sent to the authing service.
This is from that service.

2025/07/29 22:48:07 [DEBUG] New connection from: x.x.x.x:53514
2025/07/29 22:48:07 [DEBUG] Connection is PROXY protocol wrapped
2025/07/29 22:48:07 [DEBUG] PROXY protocol connection but no header found

I expect to seeing something like PROXY TCP4 <client-ip> <proxy-ip> 59142 5672 but i am not seeing it.

[michaelklishin]

The plugin acts as a straightforward HTTP client that can use GET or POST methods, and contact a known number of endpoints.

When traffic that goes over a Proxy protocol-enabled proxy, TCP (including HTTP) clients do not need any additional configuration. The proxy does all the relevant work.

RabbitMQ Core Team will not debug your networking or proxy setup for you. Our Community Support Policy states that clearly.

The plugin and several example services are all open source, you can see
exactly what the HTTP client does even without a traffic capture.

Please take it from here.

[lukebakken]

I am not seeing proxy protocol headers being sent to the authing service

Right, I doubt they would be, because you're probably the first person ever to try to use proxy protocol with the HTTP auth backend, and expect client IP to be exposed via the HTTP auth backend.

My comment here still stands. I'm sure this can be implemented.