[keycloak-user] Only Allowing Access To Master Realm From Internal Network

Fri Sep 11 11:03:19 EDT 2015

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 11 September, 2015 5:00:24 PM
> Subject: Re: [keycloak-user] Only Allowing Access To Master Realm From Internal Network
> 
> Kenyatta, does that work for you?  URL patterns are:
> 
> /auth/realms/{realm}/*  this is all protocol entry points.  Through your
> proxy, control which realms can receive SSO requests by filtering out
> things by realm name aka {realm}
> 
> /auth/admin/* All admin consoles and admin REST endpoints

Do we not also have the realm specific admin console entry points?

> 
> 
> On 9/11/2015 7:54 AM, Felipe Braun Azambuja wrote:
> > I have put some rules on my reverse proxy (nginx), at least to stop
> > access to the admin console:
> >
> > location / {
> >     allow 1.2.3.4;
> >     deny all;
> >
> >     proxy_pass http://keycloak:8080$request_uri;
> > }
> >
> > location /auth/realms
> >     allow all;
> >     proxy_pass http://keycloak:8080$request_uri;
> > }
> >
> > location /auth/resources
> >     allow all;
> >     proxy_pass http://keycloak:8080$request_uri;
> > }
> >
> >
> > Il 11/09/2015 08:48, Kenyatta Clark ha scritto:
> >> First of all, I would like to thank your team for doing such a nice job
> >> on Keycloak.  It is a very solid project.
> >>
> >> We are getting ready to deploy Keycloak to production and our IT
> >> director is nervous about having the Master realm accessible from the
> >> internet.  Is there anyway to configure Keycloak to disallow access to
> >> the Master realm from the open internet?  If not, what methods do you
> >> suggest employing that would mitigate the risk?
> >>
> >>
> >> *Kenyatta Clark*
> >>
> >> *Principal Engineer, Systems Development*
> >>
> >> MBO Partners
> >>
> >> *t:* 703.793.6314
> >>
> >> *w:*www.mbopartners.com <http://www.mbopartners.com/>
> >>
> >>
> >> Notice: This email and any files transmitted with it are confidential.
> >> They are intended solely for the use of the individual addressed.  If
> >> you have received this email in error please notify
> >> postmaster at mbopartners.com <mailto:postmaster at mbopartners.com>and
> >> permanently delete the e-mail and files.
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> > --
> > Felipe Braun Azambuja
> > DBA
> > Tecnologia da Informação e Comunicação
> > (48) 3281 9577
> > felipe.braun at intelbras.com.br
> > Esta mensagem, incluindo seus anexos, contém informações protegidas por
> > lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser
> > retransmitida, arquivada, divulgada ou copiada sem autorização do
> > remetente. O remetente utiliza o correio eletrônico no exercício do seu
> > trabalho ou em razão dele, eximindo esta instituição de qualquer
> > responsabilidade por utilização indevida. Caso tenha recebido esta
> > mensagem por engano, por favor informe o remetente respondendo
> > imediatamente a este e-mail, e em seguida apague-a do seu computador.
> >
> > The information contained in this e-mail and its attachments are protected
> > by law, subjected to privilege and/or confidentiality and cannot be
> > retransmitted, filed, disclosed or copied without authorization from the
> > sender. The sender uses the electronic mail in the exercise of his/her
> > work or by virtue thereof, and the institution accepts no liability from
> > its undue use. If you have received this message by mistake, please notify
> > us immediately by returning the e-mail and deleting this message from your
> > system.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 