[keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy

Thu Jan 14 10:06:07 EST 2016

Maybe take a look at advice in this thread:
http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html

On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace <cjwallac at gmail.com> wrote:
> Marko, Thanks for your feedback!
>
> We have successfully pass that problem and are able to login to KEYCLOAK
> behind NGINX using HTTPS Proxy. Our challenge now is when our applications
> attempt to access we get the following error:
>
> Request URL:
> https://sso2.company.com/auth/realms/master/tokens/access/codes
> Request Method:
> POST
> Status Code:
> 400 Bad Request
> Remote Address:
> 99.99.99.99:443
>
> Response Headersview source
>
> Connection:
> keep-alive
> Content-Type:
> application/json
> Date:
> Thu, 14 Jan 2016 14:35:52 GMT
> Server:
> nginx/1.4.6 (Ubuntu)
> Transfer-Encoding:
> chunked
> X-Powered-By:
> Undertow/1
>
> Request Headersview source
>
> Accept:
> */*
> Accept-Encoding:
> gzip, deflate
> Accept-Language:
> en-US,en;q=0.8
> Authorization:
> Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ
> Connection:
> keep-alive
> Content-Length:
> 172
> Content-type:
> application/x-www-form-urlencoded
> Cookie:
> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k
> DNT:
> 1
> Host:
> sso2.company.com
> Origin:
> http://app.local.company.com
> Referer:
> http://app.local.company.com/App/
> User-Agent:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML,
> like Gecko) Chrome/47.0.2526.106 Safari/537.36
>
> Form Dataview sourceview URL encoded
>
> code:
> Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2
> redirect_uri:
> http://app.local.company.com/App/
>
> Please do note that this same application is able KEYCLOAK using basically
> the same configuration without NGINX in the MIX. Have any thoughts was to
> what we should look to configure differently with NGIX in the mix?
>
> On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj <mstrukel at redhat.com> wrote:
>>
>> The error 'org.apache.http.conn.HttpHostConnectException: Connection to
>> https://sso2.domain.com refused' means that either there is a server side
>> problem - your Nginx isn't started and listening on port 443, a firewall
>> preventing incoming connections - or there is a client side problem - a DNS
>> issue improperly resolving sso2.domain.com into IP on the host where Tomcat
>> is running.
>>
>> At this point no SSL handshaking was attempted yet.
>>
>> If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com 443'
>> from the server running your Tomcat you'll see the same issue. Once that
>> starts to work, only then will any SSL / proxying related configuration
>> issues start to manifest themselves.
>>
>> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace <cjwallac at gmail.com>
>> wrote:
>>>
>>> Community, I have spent a decent amount of time attempting to get
>>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It
>>> does work without the proxy, but I need the proxy to handle certificates. I
>>> think I am pretty close to having it working, but somethings seems to be
>>> missing... I have done the following. I appreciate any insight you may have
>>> as I think I have exhausted other resources.
>>>
>>> 1. Configure a server in NGINX
>>>
>>> server {
>>>
>>> listen   443;
>>>
>>>
>>> ssl    on;
>>>
>>> ssl_certificate    /etc/ssl/certs/dcf30de94f28f16f.crt;
>>>
>>> ssl_certificate_key    /etc/ssl/certs/*.domain.key;
>>>
>>>
>>> server_name sso2. domain.com;
>>>
>>> access_log /var/log/nginx/nginx.sso.access.log;
>>>
>>> error_log /var/log/nginx/nginx.sso.error.log;
>>>
>>>   location / {
>>>
>>>         proxy_set_header Host $host;
>>>
>>>         proxy_set_header X-Real-IP $remote_addr;
>>>
>>>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>>>
>>>         proxy_set_header X-Forwarded-Proto $scheme;
>>>
>>>         proxy_set_header X-Forwarded-Port 443;
>>>
>>>         proxy_pass http://internalip:8080;
>>>
>>>     }
>>>
>>> }
>>>
>>> 2. Enable SSL on a Reverse Proxy
>>>
>>> First add proxy-address-forwarding and redirect-socket to the
>>> http-listener element:
>>>
>>> <subsystem xmlns="urn:jboss:domain:undertow:1.1">
>>>     ...
>>>     <http-listener name="default" socket-binding="http"
>>> proxy-address-forwarding="true" redirect-socket="proxy-https"/>
>>>     ...
>>> </subsystem>
>>>
>>> Then add a new socket-binding element to the socket-binding-group
>>> element:
>>>
>>> <socket-binding-group name="standard-sockets" default-interface="public"
>>> port-offset="${jboss.socket.binding.port-offset:0}">
>>>     ...
>>>     <socket-binding name="proxy-https" port="443"/>
>>>     ...
>>> </socket-binding-group>
>>>
>>>
>>> RECIVE THE FOLLOWING ERROR in TOMCAT:
>>>
>>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator -
>>> failed to turn code into token
>>>
>>> org.apache.http.conn.HttpHostConnectException: Connection to
>>> https://sso2.domain.com refused
>>>
>>> at
>>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90)
>>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
>>>
>>> at
>>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297)
>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
>>>
>>> at
>>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243)
>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
>>>
>>> at
>>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95)
>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
>>>
>>> at
>>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189)
>>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]
>>>
>>> at
>>> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28)
>>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]
>>>
>>> at
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
>>> [lib/:na]
>>>
>>> at
>>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170)
>>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]
>>>
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>> [lib/:na]
>>>
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>> [lib/:na]
>>>
>>> at
>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>> [lib/:na]
>>>
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>> [lib/:na]
>>>
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>> [lib/:na]
>>>
>>> at
>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086)
>>> [tomcat-coyote.jar:8.0.18]
>>>
>>> at
>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659)
>>> [tomcat-coyote.jar:8.0.18]
>>>
>>> at
>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
>>> [tomcat-coyote.jar:8.0.18]
>>>
>>> at
>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>> [tomcat-coyote.jar:8.0.18]
>>>
>>> at
>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>> [tomcat-coyote.jar:8.0.18]
>>>
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> [na:1.8.0_25]
>>>
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> [na:1.8.0_25]
>>>
>>> at
>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>> [tomcat-util.jar:8.0.18]
>>>
>>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]
>>>
>>> Caused by: java.net.ConnectException: Connection timed out
>>>
>>> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25]
>>>
>>> at
>>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
>>> ~[na:1.8.0_25]
>>>
>>> at
>>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>>> ~[na:1.8.0_25]
>>>
>>> at
>>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>>> ~[na:1.8.0_25]
>>>
>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>> ~[na:1.8.0_25]
>>>
>>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]
>>>
>>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649)
>>> ~[na:1.8.0_25]
>>>
>>> at
>>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> at
>>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
>>> ~[httpclient-4.2.1.jar:4.2.1]
>>>
>>> ... 29 common frames omitted
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>