[keycloak-user] Reverse proxy calling admin API
Christian Bauer
christian.bauer at gmail.com
Mon May 23 03:04:54 EDT 2016
@WebServlet(name = "test", urlPatterns = "/test")
public class TestServlet extends javax.servlet.http.HttpServlet {
@Override
protected void doGet(HttpServletRequest req,
HttpServletResponse resp) throws ServletException, IOException {
System.err.println("REQUEST URL : " + req.getRequestURL());
System.err.println("REMOTE HOST: " + req.getRemoteHost());
Enumeration<String> headers = req.getHeaderNames();
while (headers.hasMoreElements()) {
String header = headers.nextElement();
System.err.println(header + ": " + req.getHeader(header));
}
}
}
/wildfly-10.0.0.Final/standalone/configuration$ grep http-listener standalone.xml
<http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="https"/>
/wildfly-10.0.0.Final/standalone/configuration$ curl -v --header "X-Forwarded-For: 10.0.0.1:8888" --header "X-Forwarded-Proto: http" http://localhost:8080/proxytest_war_exploded/test
08:47:32,511 ERROR [stderr] (default task-2) REQUEST URL : http://localhost:8080/proxytest_war_exploded/test
08:47:32,511 ERROR [stderr] (default task-2) REMOTE HOST: 10.0.0.1:8888
08:47:32,511 ERROR [stderr] (default task-2) Accept: */*
08:47:32,511 ERROR [stderr] (default task-2) X-Forwarded-Proto: http
08:47:32,512 ERROR [stderr] (default task-2) User-Agent: curl/7.43.0
08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For: 10.0.0.1
08:47:32,512 ERROR [stderr] (default task-2) Host: localhost:8080
I've also looked at the code of Undertow/Wildfly and as far as I can tell, the proxy-address-forwarding affects only HttpServletRequest#getRemoteHost() etc. values.
> On 23.05.2016, at 08:16, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Take a look at http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding <http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding>. proxy-address-forwarding=true does set HttpServletRequest#getRequestURL(), but only if http is used. If you're using ajp then you need to use ProxyPeerAddressHandler.
>
> On 22 May 2016 at 10:10, Christian Bauer <christian.bauer at gmail.com <mailto:christian.bauer at gmail.com>> wrote:
> A workaround/solution is to set the Host header on the proxy.
>
> This is equivalent to setting ProxyPreserveHost On if you'd be using Apache mod_proxy. It requires some ugly hacks however customizing this header with my Resteasy/ApacheHttpClient proxy.
>
> > On 22.05.2016, at 00:18, Christian Bauer <christian.bauer at gmail.com <mailto:christian.bauer at gmail.com>> wrote:
> >
> > Already done. I don't think that affects HttpServletRequest#getRequestURL(), which is what Resteasy is using to populate UriInfo#getBaseUri()?
> >
> >> set the proxy-address-forwarding="true" for the http-listener.
> >>
> >>>
> >>> The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-* headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160523/30f49225/attachment.html
More information about the keycloak-user
mailing list