[keycloak-user] Significant SSL issue: Support for reverse proxies

Stian Thorgersen stian at redhat.com
Wed Jun 18 06:13:57 EDT 2014 

I've updated the documentation. One more thing you should enable is the confidential transport-guarantee for Keycloak to make sure all http traffic is redirected to https. To make sure it redirects to the correct port you also need to specify redirect-socket. I've included the added documentation below so you don't have to build this from source.


Added Documentation:

3.3.4.2. Enable SSL on a Reverse Proxy

Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.

First add proxy-address-forwarding and redirect-socket to the http-listener element:

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
    ...
    <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
    ...
</subsystem>

Then add a new socket-binding element to the socket-binding-group element:

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    ...
    <socket-binding name="proxy-https" port="443"/>
    ...
</socket-binding-group>

Check the WildFly documentation [https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration] for more information.


----- Original Message -----
> From: "Josh" <smysnk at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 17 June, 2014 6:19:10 PM
> Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse proxies
> 
> Excellent, just tested it out and it is working as expected.
> 
> I also had to add 'RequestHeader set X-Forwarded-Proto "https"' to my
> Apache virtualhost configuration.
> 
> Some documentation somewhere that this is required would be useful for the
> next guy.
> 
> Thanks,
> Josh
> 
> 
> On Tue, Jun 17, 2014 at 4:58 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > This is quite likely an issue with either Apache or WildFly not being
> > configured correctly.
> >
> > Have you enabled proxy-address-forwarding in WildFly/Undertow (see
> > https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration
> > for more info)?
> >
> > ----- Original Message -----
> > > From: "Josh" <smysnk at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 16 June, 2014 4:42:27 PM
> > > Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse
> > proxies
> > >
> > > The first would be at the "Welcome to Keycloak" page, clicking on
> > > Administration Console.  The link itself is not redirecting to http, but
> > as
> > > part of the login page it looks like it forwards back to http. (eg.
> > > https://auth.psidox.com/auth/ -> https://auth.psidox.com/auth/admin/ ->
> > > http://auth.psidox.com/auth/admin/master/console ->
> > >
> > http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fauth.psidox.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=2ae3dfaa-fe7c-4973-8932-ffea553d8dfe&response_type=code
> > > )
> > >
> > > I haven't really gotten too far beyond the login page.
> > >
> > > - Josh
> > >
> > >
> > > On Mon, Jun 16, 2014 at 3:33 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > When does it forward the browser from https to http?
> > > >
> > > > As Bill pointed out, does auth-server-url in your keycloak.json point
> > to
> > > > your proxy with https?
> > > >
> > > > What adapter are you using?
> > > >
> > > > ----- Original Message -----
> > > > > From: "Josh" <smysnk at gmail.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Friday, 13 June, 2014 8:41:32 AM
> > > > > Subject: [keycloak-user] Significant SSL issue: Support for reverse
> > > > proxies
> > > > >
> > > > > Hi guys,
> > > > >
> > > > > So looking to help solve this issue possibly or at least get it on
> > the
> > > > radar,
> > > > > I've reported it here: https://issues.jboss.org/browse/KEYCLOAK-497
> > > > >
> > > > > To breifly recap the issue, when logging in via reverse proxy it
> > keeps
> > > > > forwarding the browser from https back to regular http.
> > > > >
> > > > > Eg. Apache virtualhost configured as:
> > > > >
> > > > > <VirtualHost *:443>
> > > > > ServerName auth.domain.com
> > > > > SSLEngine On
> > > > >
> > > > > <Proxy *>
> > > > > Order deny,allow
> > > > > Allow from all
> > > > > </Proxy>
> > > > >
> > > > > ProxyVia Off
> > > > > ProxyPreserveHost On
> > > > > ProxyRequests Off
> > > > >
> > > > > ProxyPass / http://keycloak.core.docker:8080/
> > > > > ProxyPassReverse / http://keycloak.core.docker:8080/
> > > > >
> > > > >
> > > > > </VirtualHost>
> > > > >
> > > > > If I were to start looking into the code base, where would I start?
> > > > Trying to
> > > > > find for example during the login process how the forward url is
> > formed?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Josh
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> >
>

More information about the keycloak-user mailing list