ActiveMQ Web panel behind Reverse Proxy - AmazonMQ

Question

We are using the web console of https://aws.amazon.com/amazon-mq/ behind a reverse proxy.

Most of the basic functionality is working, however almost every active action (send message to queue, purge queue, ...) in the web panel ends up on the amazon internal url (https://b-asdfsad-fsdfasdf-asdfasdf.mq.eu-central-1.amazonaws.com), therefore evading the reverse proxy and ending up in an error since we prevent direct access to it for security reasons.

Any idea how to tell the web console, using the available AmazonMQ Configuration options, to prevent redirecting to anything but the URL under which the reverse proxy is reachable?

Update using Nginx Reverse with this config:

set $proxy_pass_url https://abc-def-xyz-1.mq.eu-central-1.amazonaws.com:8162;
location / {
  proxy_pass $proxy_pass_url;
  proxy_http_version 1.1;
  proxy_set_header Authorization "Basic AUTHSTRING";
  proxy_set_header X-Forwarded-User $remote_user;
  proxy_set_header Host abc-def-xyz-1.mq.eu-central-1.amazonaws.com;
  proxy_set_header Connection "Keep-Alive";
  proxy_set_header Proxy-Connection "Keep-Alive";
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Host $http_host;
}

How about *not* telling it how the proxy is accessing it? I would expect what uou are seeing to happen if the proxy is rewriting the `Host` header, which hopefully is unnecessary. Show the proxy config? — Michael - sqlbot, Jul 26 '18 at 10:48
Added config, probably related: https://forums.aws.amazon.com/thread.jspa?threadID=271788&tstart=0 where someone tries to modify the port of the web console. We pretty much want to modify the host here. — Marcel Lamm, Jul 26 '18 at 15:05
I also ended up posting it on the AWS forums https://forums.aws.amazon.com/thread.jspa?threadID=286809 — Marcel Lamm, Jul 27 '18 at 12:09
A related question is here: https://stackoverflow.com/questions/57220506/configure-base-url-for-activemq-web-console-running-behind-a-reverse-proxy since a standalone ActiveMQ or ActivemQ Artemis suffers from similar behavior. — Jaap, Feb 16 '21 at 10:31

score 0 · Answer 1 · answered Jul 26 '18 at 12:36

The Host Header isset already, but Active MQs Dashboard Jetty Config needs to know the Host anyway and its maybe not possible to do this in the Configurations AWS Provides atm.

[...]

    set $proxy_pass_url https://abc-def-xyz-1.mq.eu-central-1.amazonaws.com:8162;

    location / {
      proxy_pass $proxy_pass_url;
      proxy_http_version 1.1;
      proxy_set_header Authorization "Basic AUTHSTRING";
      proxy_set_header X-Forwarded-User $remote_user;
      proxy_set_header Host abc-def-xyz-1.mq.eu-central-1.amazonaws.com:8162;
      proxy_set_header Connection "Keep-Alive";
      proxy_set_header Proxy-Connection "Keep-Alive";
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_set_header        X-Forwarded-Host $http_host;
    }

[...]

ActiveMQ Web panel behind Reverse Proxy - AmazonMQ

1 Answers1