[keycloak-user] Redirection issue with proxy behind keycloak

Stian Thorgersen sthorger at redhat.com
Wed May 25 01:22:05 EDT 2016 

You need the Host and X-Forwarded-For headers to be included and there's
also some config to be done on the Keycloak server (see
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding
)

On 24 May 2016 at 08:46, Aritz Maeztu <amaeztu at tesicnor.com> wrote:

> Hi Niels and Scott. First of all, thank you very much for your help. I'm
> currently using Zuul (Spring Cloud) as the reverse proxy. All the services
> are registered in a discovery service called Eureka and then Zuul looks for
> the service id there and performs de redirection. I read about X-Forwarded
> headers, but I thought it might result in a security issue if not included,
> not that it could affect the redirection process.
>
> As Scott says, I suppose the Host and the X-Real-Ip headers are the
> relevant ones here, so I guess I should instruct Zuul to send them when the
> service is addressed (however I wonder why they are not already being sent,
> as Zuul is a proxy service, all in all).
> Here I include a preview of the first redirection made to the keycloak
> login page, which shows the request headers sent to the service /login
> endpoint (at port 8081 in localhost):
>
> https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
>
> 24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>
> Hi Artitz,
>
> a great way to figure out what is sent from the reverse proxy to your
> keycloak server is to use the undertow request dumper.
>
> From the jboss-cli just add the request dumper filter to your undertow
> configuration like this:
>
> $KC_HOME/bin/jbpss-cli.sh -c
>
> /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
> module=io.undertow.core)
>
>
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>
> /:reload
>
> given your apache config looks something like this:
>
>   ProxyRequests Off
>   ProxyPreserveHost On
>   ProxyVia On
>
>   ProxyPass /auth ajp://127.0.0.1:8009/auth
>   ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>
>
> you should see something like that (forwared info is somewhat rubbish in
> this example as I am running the hosts on Virtualbox - but you can see this
> request was put through 2 proxies from local pc 192.168.33.1 to haproxy on
> 192.168.33.80 and then apache reverse proxy on 192.168.33.81 ):
>
> ==============================================================
> 23:47:20,563 INFO  [io.undertow.request.dump] (default task-14)
> ----------------------------REQUEST---------------------------
>                URI=/auth/welcome-content/favicon.ico
>  characterEncoding=null
>      contentLength=-1
>        contentType=null
>             header=Accept=*/*
>             header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>             header=Cache-Control=no-cache
>             header=Accept-Encoding=gzip, deflate, sdch
>             header=DNT=1
>             header=Pragma=no-cache
>             header=X-Original-To=192.168.33.80
>             header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
>             header=Authorization=Basic
> bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>             header=X-Forwarded-Proto=https
>             header=X-Forwarded-Port=443
>             header=X-Forwarded-For=192.168.33.1
>             header=Referer=https://login.vagrant.dev/auth/
>             header=Host=login.vagrant.dev
>             locale=[en_US, en, de]
>             method=GET
>           protocol=HTTP/1.1
>        queryString=
>         remoteAddr=192.168.33.1:0
>         remoteHost=192.168.33.1
>             scheme=https
>               host=login.vagrant.dev
>         serverPort=443
> --------------------------RESPONSE--------------------------
>      contentLength=627
>        contentType=application/octet-stream
>             header=Cache-Control=max-age=2592000
>             header=X-Powered-By=Undertow/1
>             header=Server=WildFly/10
>
>
> Hope this helps diagnosing your issue. Niels
>
> On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu <amaeztu at tesicnor.com>
> wrote:
>
>> I'm using keycloak to securize some Spring based services (with the
>> keycloak spring security adapter). The adapter creates a `/login` endpoint
>> in each of the services which redirects to the keycloak login page and then
>> redirects back to the service when authentication is done. I also have a
>> proxy service which I want to publish in the 80 port and will take care of
>> routing all the requests to each service. The proxy performs a plain
>> FORWARD to the service, but the problem comes when I securize the service
>> with the keycloak adapter.
>>
>> When I make a request, the adapter redirects to its login endpoint and
>> then to the keycloak auth url. When keycloak sends the redirection, the url
>> shown in the browser is the one from the service and not the one from the
>> proxy. Do I have some choice to tell the adapter I want to redirect back to
>> the first requested url?
>>
>> --
>> Aritz Maeztu Otaño
>> Departamento Desarrollo de Software
>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>> <http://www.tesicnor.com>
>>
>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>> Telf.: 948 21 40 40
>> Fax.: 948 21 40 41
>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
>> medioambiente es cosa de todos.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Aritz Maeztu Otaño
> Departamento Desarrollo de Software
> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
> medioambiente es cosa de todos.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/f3ad5f79/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/f3ad5f79/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/f3ad5f79/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/f3ad5f79/attachment-0003.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/f3ad5f79/attachment-0003.png

More information about the keycloak-user mailing list