[keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy

Christopher Wallace cjwallac at gmail.com
Wed Dec 30 17:34:34 EST 2015 

Community, I have spent a decent amount of time attempting to get KEYCLOAK
behind an NGINX Reverse Proxy to protect a TOMCAT Application. It does work
without the proxy, but I need the proxy to handle certificates. I think I
am pretty close to having it working, but somethings seems to be missing...
I have done the following. I appreciate any insight you may have as I think
I have exhausted other resources.

*1. Configure a server in NGINX*

server {

listen   443;


ssl    on;

ssl_certificate    /etc/ssl/certs/dcf30de94f28f16f.crt;

ssl_certificate_key    /etc/ssl/certs/*.domain.key;


server_name sso2. domain.com;

access_log /var/log/nginx/nginx.sso.access.log;

error_log /var/log/nginx/nginx.sso.error.log;

  location / {

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Forwarded-Port 443;

        proxy_pass http://internalip:8080;

    }

}

*2. Enable SSL on a Reverse Proxy*

First add proxy-address-forwarding and redirect-socket to the http-listener
 element:

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
    ...
    <http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
    ...
</subsystem>

Then add a new socket-binding element to the socket-binding-group element:

<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
    ...
    <socket-binding name="proxy-https" port="443"/>
    ...
</socket-binding-group>


*RECIVE THE FOLLOWING ERROR in TOMCAT:*

1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator -
failed to turn code into token

org.apache.http.conn.HttpHostConnectException: Connection to
https://sso2.domain.com refused

at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
~[httpclient-4.2.1.jar:4.2.1]

at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90)
~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189)
[keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28)
[keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]

at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
[lib/:na]

at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170)
[keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]

at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
[lib/:na]

at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
[lib/:na]

at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
[lib/:na]

at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
[lib/:na]

at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
[lib/:na]

at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086)
[tomcat-coyote.jar:8.0.18]

at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659)
[tomcat-coyote.jar:8.0.18]

at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
[tomcat-coyote.jar:8.0.18]

at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
[tomcat-coyote.jar:8.0.18]

at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
[tomcat-coyote.jar:8.0.18]

at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[na:1.8.0_25]

at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[na:1.8.0_25]

at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:8.0.18]

at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]

Caused by: java.net.ConnectException: Connection timed out

at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25]

at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
~[na:1.8.0_25]

at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
~[na:1.8.0_25]

at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
~[na:1.8.0_25]

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_25]

at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]

at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649)
~[na:1.8.0_25]

at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
~[httpclient-4.2.1.jar:4.2.1]

... 29 common frames omitted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151230/da42d379/attachment.html

More information about the keycloak-user mailing list