ActiveMQ and NGINX

Question

I can get my head wrapped around ... We have requirement using ActiveMQ hidden behind NGINX proxy, but I have no idea how to set it up.

For the ActiveMQ I've setup different ports for all protocols

<transportConnectors>
        <!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
        <transportConnector name="openwire" uri="tcp://0.0.0.0:62716?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
        <transportConnector name="amqp" uri="amqp://0.0.0.0:5782?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
        <transportConnector name="stomp" uri="stomp://0.0.0.0:62713?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
        <transportConnector name="mqtt" uri="mqtt://0.0.0.0:1993?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
        <transportConnector name="ws" uri="ws://0.0.0.0:62714?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    </transportConnectors>

And the nginx configuration like this:

server {
  listen *:61616;
  server_name           192.168.210.15;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/k1.access.log combined;
  error_log             /var/log/nginx/k1.error.log;

  location / {
    proxy_pass            http://localhost:62716;
    proxy_read_timeout    90;
    proxy_connect_timeout 90;
    proxy_redirect        off;
    proxy_method          stream;
    proxy_set_header      Host $host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      Proxy "";
  }
}

(same for all other five redefined ports)

I though that this would expose default ports ActiveMQ ports and Nginx would map it to the new definition, but this doesn't work.

For communication, we're using NodeJs library amqp10 in version 3.1.4.

And all the ports are enabled on the server ... if using standard ports without nginx proxy, it works.

Anyone idea what am I missing? Thanks for any thoughts.

Answer 1

You can hide ActiveMq behind nginx proxy, even if you are trying to proxy OpenWire for a AMQP client.

If you are adding your configuration inside http block, its bound to fail.

But get it that, nginx not only supports http, but also tcp block.

If you proxy activemq over tcp, then what happens at http level won't matter and you would still be able to proxy.

Off-course you would lose flexibility that comes along with http.

Open your nginx.conf (at /etc/nginx/nginx.conf). This would have http block, which in turn would have some include statements.

Outside this http block, add another include statement.

$ pwd
/etc/nginx
$ cat nginx.conf | tail -1
include /etc/nginx/tcpconf.d/*;

The include statement is directing nginx to look for additional configurations in directory "/etc/nginx/tcpconf.d/". Add desired configuration in this directory. Let's call it amq_stream.conf.

$ pwd
/etc/nginx/tcpconf.d
$ cat amq_stream.conf
stream {
    upstream amq_server {
        # activemq server
        server <amq-server-ip>:<port like 61616.;
    }

    server {
        listen 61616;
        proxy_pass amq_server;
    }
}

Restart your nginx service.

$ sudo service nginx restart

You are done

Answer 2

Nginx is a HTTP server that is capable of proxying WebSocket and HTTP.

But you are trying to proxy OpenWire for a AMQP client. Which does not work with Nginx or Node.js.

So - if you really need to use Nginx, you need to change client protocol to STOMP or MQTT over WebSocket. Then setup a WebSocket proxy in Nginx.

Nginx-example with TLS. More details at https://www.nginx.com/blog/websocket-nginx/

upstream websocket {
    server amqserver.example.com:62714;
}
server {
    listen 8883 ssl;
    ssl on;
    ssl_certificate /etc/nginx/ssl/certificate.cer;
    ssl_certificate_key /etc/nginx/ssl/key.key;

    location / {
        proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade websocket;
        proxy_set_header Connection upgrade;
        proxy_read_timeout 120s;
    }
}

However, since you have to rewrite all client code, I would rethink the Nginx idea. There are other software and hardware that can front TCP based servers and do TLS termination and whatnot.