emqx-docs icon indicating copy to clipboard operation
emqx-docs copied to clipboard
verified publisher icon emqx

Clarity required on Proxy Protocol and it's effect on configuration settings like peer_cert_as_clientid

Open markandpathak opened this issue 3 years ago • 1 comments

File: /en_US/admin/cfg.md

Many scenarios require use of a OCSP or Revocation list for TLS client certificate. Now as OCSP or CRLs are not supported yet in EMQX, we can put a Proxy in front of it like HAProxy which can act as a SSL termination and also handle OCSP or CRLs.

EMQX does support Proxy protocol, but what will happen if Proxy protocol is enabled and peer_cert_as_clientid = cn set? In the documentation, I could not find any information on whether EMQX will be able to parse Common Name of the certificates from Proxy Protocol? or How to configure HAProxy properly so that Certificate Common Names can be parsed from Proxy Protocol?

markandpathak avatar Oct 06 '22 08:10 markandpathak

@markandpathak here is an example of haproxy config

listen mqtt-ssl
  bind *:8883 ssl ca-file /usr/local/etc/haproxy/certs/ca.pem crt /usr/local/etc/haproxy/certs/server-bundle.pem verify required
  mode tcp
  maxconn 50000
  timeout client 600s
  default_backend emqx_cluster

backend emqx_cluster
  mode tcp
  balance source
  timeout server 50s
  timeout check 5000
  server emqx emqx:1883 check-send-proxy send-proxy-v2-ssl-cn check

and corresponding emqx config snippet

listeners {
  tcp {
    default {
      bind = ":1883"
      enabled = true
      proxy_protocol = true
    }
  }
}

mqtt {
  peer_cert_as_username = "cn"
}

id avatar Aug 15 '24 07:08 id