[keycloak-user] Redirection issue with proxy behind keycloak

Aritz Maeztu amaeztu at tesicnor.com
Tue May 24 02:46:08 EDT 2016 

Hi Niels and Scott. First of all, thank you very much for your help. I'm 
currently using Zuul (Spring Cloud) as the reverse proxy. All the 
services are registered in a discovery service called Eureka and then 
Zuul looks for the service id there and performs de redirection. I read 
about X-Forwarded headers, but I thought it might result in a security 
issue if not included, not that it could affect the redirection process.

As Scott says, I suppose the Host and the X-Real-Ip headers are the 
relevant ones here, so I guess I should instruct Zuul to send them when 
the service is addressed (however I wonder why they are not already 
being sent, as Zuul is a proxy service, all in all).

Here I include a preview of the first redirection made to the keycloak 
login page, which shows the request headers sent to the service /login 
endpoint (at port 8081 in localhost):

https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0

24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
> Hi Artitz,
>
> a great way to figure out what is sent from the reverse proxy to your 
> keycloak server is to use the undertow request dumper.
>
> From the jboss-cli just add the request dumper filter to your undertow 
> configuration like this:
>
> $KC_HOME/bin/jbpss-cli.sh -c
>
> /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler, 
> module=io.undertow.core)
>
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>
> /:reload
>
> given your apache config looks something like this:
>
>   ProxyRequests Off
>   ProxyPreserveHost On
>   ProxyVia On
>
>   ProxyPass /auth ajp://127.0.0.1:8009/auth <http://127.0.0.1:8009/auth>
>   ProxyPassReverse /auth ajp://127.0.0.1:8009/auth 
> <http://127.0.0.1:8009/auth>
>
>
> you should see something like that (forwared info is somewhat rubbish 
> in this example as I am running the hosts on Virtualbox - but you can 
> see this request was put through 2 proxies from local pc 192.168.33.1 
> to haproxy on 192.168.33.80 and then apache reverse proxy on 
> 192.168.33.81 ):
>
> ==============================================================
> 23:47:20,563 INFO  [io.undertow.request.dump] (default task-14)
> ----------------------------REQUEST---------------------------
>  URI=/auth/welcome-content/favicon.ico
>  characterEncoding=null
>      contentLength=-1
>  contentType=null
> header=Accept=*/*
> header=Accept-Language=en-US,en;q=0.8,de;q=0.6
> header=Cache-Control=no-cache
> header=Accept-Encoding=gzip, deflate, sdch
> header=DNT=1
> header=Pragma=no-cache
> header=X-Original-To=192.168.33.80
> header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64) 
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
> header=Authorization=Basic 
> bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
> header=X-Forwarded-Proto=https
> header=X-Forwarded-Port=443
> header=X-Forwarded-For=192.168.33.1
> header=Referer=https://login.vagrant.dev/auth/
> header=Host=login.vagrant.dev
> locale=[en_US, en, de]
> method=GET
> protocol=HTTP/1.1
>        queryString=
>         remoteAddr=192.168.33.1:0 <http://192.168.33.1:0>
> remoteHost=192.168.33.1
> scheme=https
> host=login.vagrant.dev
> serverPort=443
> --------------------------RESPONSE--------------------------
>  contentLength=627
>  contentType=application/octet-stream
> header=Cache-Control=max-age=2592000
> header=X-Powered-By=Undertow/1
> header=Server=WildFly/10
>
>
> Hope this helps diagnosing your issue. Niels
>
> On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu <amaeztu at tesicnor.com 
> <mailto:amaeztu at tesicnor.com>> wrote:
>
>     I'm using keycloak to securize some Spring based services (with
>     the keycloak spring security adapter). The adapter creates a
>     `/login` endpoint in each of the services which redirects to the
>     keycloak login page and then redirects back to the service when
>     authentication is done. I also have a proxy service which I want
>     to publish in the 80 port and will take care of routing all the
>     requests to each service. The proxy performs a plain FORWARD to
>     the service, but the problem comes when I securize the service
>     with the keycloak adapter.
>
>     When I make a request, the adapter redirects to its login endpoint
>     and then to the keycloak auth url. When keycloak sends the
>     redirection, the url shown in the browser is the one from the
>     service and not the one from the proxy. Do I have some choice to
>     tell the adapter I want to redirect back to the first requested url?
>
>
>     -- 
>     Aritz Maeztu Otaño
>     Departamento Desarrollo de Software
>     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>     <http://www.tesicnor.com> 	
>
>     Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>     Telf.: 948 21 40 40
>     Fax.: 948 21 40 41
>
>     Antes de imprimir este e-mail piense bien si es necesario hacerlo:
>     El medioambiente es cosa de todos.
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Aritz Maeztu Otaño
Departamento Desarrollo de Software 
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160524/0f1c5b78/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160524/0f1c5b78/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160524/0f1c5b78/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160524/0f1c5b78/attachment-0003.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160524/0f1c5b78/attachment-0003.png

More information about the keycloak-user mailing list