[keycloak-user] Only Allowing Access To Master Realm From Internal Network

Bill Burke bburke at redhat.com
Fri Sep 11 11:00:24 EDT 2015


Kenyatta, does that work for you?  URL patterns are:

/auth/realms/{realm}/*  this is all protocol entry points.  Through your 
proxy, control which realms can receive SSO requests by filtering out 
things by realm name aka {realm}

/auth/admin/* All admin consoles and admin REST endpoints


On 9/11/2015 7:54 AM, Felipe Braun Azambuja wrote:
> I have put some rules on my reverse proxy (nginx), at least to stop
> access to the admin console:
>
> location / {
>     allow 1.2.3.4;
>     deny all;
>
>     proxy_pass http://keycloak:8080$request_uri;
> }
>
> location /auth/realms
>     allow all;
>     proxy_pass http://keycloak:8080$request_uri;
> }
>
> location /auth/resources
>     allow all;
>     proxy_pass http://keycloak:8080$request_uri;
> }
>
>
> Il 11/09/2015 08:48, Kenyatta Clark ha scritto:
>> First of all, I would like to thank your team for doing such a nice job
>> on Keycloak.  It is a very solid project.
>>
>> We are getting ready to deploy Keycloak to production and our IT
>> director is nervous about having the Master realm accessible from the
>> internet.  Is there anyway to configure Keycloak to disallow access to
>> the Master realm from the open internet?  If not, what methods do you
>> suggest employing that would mitigate the risk?
>>
>>
>> *Kenyatta Clark*
>>
>> *Principal Engineer, Systems Development*
>>
>> MBO Partners
>>
>> *t:* 703.793.6314
>>
>> *w:*www.mbopartners.com <http://www.mbopartners.com/>
>>
>>
>> Notice: This email and any files transmitted with it are confidential.
>> They are intended solely for the use of the individual addressed.  If
>> you have received this email in error please notify
>> postmaster at mbopartners.com <mailto:postmaster at mbopartners.com>and
>> permanently delete the e-mail and files.
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Felipe Braun Azambuja
> DBA
> Tecnologia da Informação e Comunicação
> (48) 3281 9577
> felipe.braun at intelbras.com.br
> Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.
>
> The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list