RabbitMQ/oauth2 plugin doesn't pick up http_proxy and cannot fetch required keys

[avarf]

Describe the bug

We have a stack consist of:

• RabbitMQ (RMQ) with rabbitmq_auth_backend_oauth2 plugin enabled that fetches the keys from our Keycloak:

  {rabbitmq_auth_backend_oauth2, [
  {resource_server_id, <<"rabbitmq">>},
  {key_config, [
    {jwks_url, "${OIDC_BASE_URL}/protocol/openid-connect/certs"}
  ]}
  ]}

• Data publisher that publishes data via AMQP to RMQ
• Nginx that exposes an endpoint for STOMP
• Clients that consume data via STOMP (accessing the RMQ with their JWT tokens)

Everything works in our stack in normal conditions but when we run the stack behind a corporate proxy we face the issue.

RMQ receives the connections from STOMP clients but it cannot verify the tokens since it cannot get the key from our Keycloak (because of proxy it cannot reach out).

We solved this issue for other components of our stack by setting environment variables such as http_proxy, https_proxy and no_proxy.

I passed these variables to the RMQ as below but still, it cannot parse the JWT token:

  broker:
    image: docker.io/broker:latest
    environment:
      OIDC_BASE_URL: "https://my-keycloak.io/auth/realms/my-realm"
      http_proxy: "http://1.1.1.1:8080"
      https_proxy: "http://1.1.1.1:8080"
      no_proxy: "nginx,project_mgr,localhost,127.0.0.1"
      HTTP_PROXY: "http://1.1.1.1:8080"
      HTTPS_PROXY: "http://1.1.1.1:8080"
      NO_PROXY: "nginx,project_mgr,localhost,127.0.0.1"
    ports:
      - "5672:5672"
      - "15672:15672"
      - "15674:15674"
    networks:
      - local-network

RMQ logs:

2024-01-31 14:21:17.102107+00:00 [warn] <0.2042.0> Description: "Authenticity is not established by certificate path validation"
2024-01-31 14:21:17.102107+00:00 [warn] <0.2042.0>      Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"
2024-01-31 14:21:17.102107+00:00 [warn] <0.2042.0> 
2024-01-31 14:21:25.103685+00:00 [warn] <0.2036.0> STOMP login failed for user '': authentication failed
2024-01-31 14:21:25.103845+00:00 [erro] <0.2036.0> STOMP error frame sent:
2024-01-31 14:21:25.103845+00:00 [erro] <0.2036.0> Message: "Bad CONNECT"
2024-01-31 14:21:25.103845+00:00 [erro] <0.2036.0> Detail: "Access refused for user ''\n"
2024-01-31 14:21:25.103845+00:00 [erro] <0.2036.0> Server private detail: none

So what is the solution in this case? I couldn't find that much info on how to run RMQ behind corporate proxy set aside fetching key and working with JWT.

Reproduction steps

1. Run a RabbitMQ behind a proxy in a way that it can't access to the Keycloak
2. Set http_proxy for RMQ
3. Try to open a connection with the JWT token that you got from Keycloak

Expected behavior

RabbitMQ or Oauth2 plugin should pick up the http_proxy and no_proxy environment variables and use them to reach Keycloak and fetch the keys.

Additional context

No response

[avarf]

Close, because created in the wrong repo.