[keycloak-user] Reverse Proxy with SSL - Bad Request

Kie, Jeremy, CYFD Jeremy.Kie at state.nm.us
Tue Nov 15 16:10:14 EST 2016

I resolved my issue.  The problem was a bad configuration in the web.xml.

There was a Javascript client deployed along with the web application which had issues with a greedy "url-pattern" used for the security constraint within the web.xml.



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Kie, Jeremy, CYFD
Sent: Tuesday, November 15, 2016 11:41 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Reverse Proxy with SSL - Bad Request


I've been searching for help with a problem I am encountering.  I have reviewed a number of threads in the archive but none seem to provide enough help for our setup.

Keycloak 2.1.0.Final
Apache as a reverse proxy

When accessing the application - https://apps-test.simple.com/bacon I get redirected to our keycloak server, but the redirect_uri is set to http://apps-test.simple.com/bacon.  When I login successfully, I get redirected, but it results in 400 - Bad Request.  I see the following lines in the app server log file:

2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 53/1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577
2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: 53%2F1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577

I did find this thread


What we want to do is similar, but both the auth and site (thus redirect URI) use SSL.  I'm not sure if this is giving us problems.   Any help is greatly appreciated.



P.S. Here is our reverse proxy config (slightly redacted)

Timeout 900

ErrorLog syslog

# Exclude all robots
<Location "/robots.txt">
    SetHandler None
Alias /robots.txt /srv/www/htdocs/robots.txt

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy

    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
    CustomLog /var/log/apache2/proxy_log proxy env=forwarded
    CustomLog /var/log/apache2/access_log combined env=!forwarded </IfModule>

<VirtualHost *:80>
                ServerName apps-test.simple.com
        RequestHeader set X-Forwarded-Proto "http"
        RedirectMatch ^/$ https://apps-test.simple.com
                UseCanonicalName On
                RewriteEngine On
                RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{SERVER_NAME}/%{REQUEST_URI}<https://%25%7bSERVER_NAME%7d/%25%7bREQUEST_URI%7d> [R,L] </VirtualHost>

<VirtualHost *:443>
        ServerName apps-test.simple.com

        SSLEngine on
        SSLProxyEngine On
                SSLProtocol -ALL +TLSv1
        SSLCertificateKeyFile /etc/apache2/ssl.key/rsa_private_key_2015.pem
        SSLCertificateFile /etc/apache2/ssl.crt/WC_simple_com_server_2015-16.crt
        SSLCertificateChainFile /etc/apache2/ssl.crt/IntermediateCA-SHA2root.crt
                SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM
                RequestHeader unset Range
        RequestHeader unset Request-Range

                ProxyRequests Off
                ProxyPreserveHost On
        RequestHeader add X-Forwarded-Ssl on
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
                SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1
        SetEnv proxy-initial-not-pooled 1

        RedirectMatch ^/$ https://apps-test.simple.com

        <Location "/app1">
                ProxyPass "!"
        <Location "/app2">
                ProxyPass "!"

        <Location /auth/>
               ProxyPass http://keycloak:8080/auth/
               ProxyPassReverse http://keycloak:8080/auth/
               ProxyPassReverseCookieDomain http://keycloak.simple.com http://apps-test.simple.com
               ProxyPassReverseCookiePath / /auth/

        <Location /bacon/>
               ProxyPass http://internal.simple.com:8080/bacon/
               ProxyPassReverse http://internal.simple.com:8080/bacon/
               ProxyPassReverseCookieDomain http://internal.simple.com https://apps-test.simple.com
               ProxyPassReverseCookiePath / /bacon/


ServerSignature Off
ServerTokens Prod
TraceEnable off

SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)

keycloak-user mailing list
keycloak-user at lists.jboss.org

More information about the keycloak-user mailing list