[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Stian Thorgersen sthorger at redhat.com
Tue Oct 25 06:35:05 EDT 2016


Did you do replace some values in what you pasted? In the second request
it's also showing a strange value for Host:

header=Referer=https://as.mydomain.com/auth/

header=Host=as.bridgestone-bae.corp


Referrer is as.mydomain.com, but it's trying to get
as.bridgestone-bae.corp. Then there's also missing X-Forwarded* headers yes.

On 25 October 2016 at 12:31, Vincent Sourin <sourin-v at bridgestone-bae.com>
wrote:

> Here is the captured packets dumped by Undertow.
>
> Strangely, on the second request I don’t see X-Forwarded-* Header in the
> request.
>
> I don’t think it’s normal ?
>
>
>
> 1/ First when browsing to https://as.mydomain.com/auth
>
>
>
> ==============================================================
>
> 2016-10-25 12:23:59,164 INFO  [io.undertow.request.dump] (default task-3)
>
> ----------------------------REQUEST---------------------------
>
>                URI=/auth/
>
> characterEncoding=null
>
>      contentLength=-1
>
>        contentType=null
>
>             header=Accept=text/html,application/xhtml+xml,
> application/xml;q=0.9,*/*;q=0.8
>
>             header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
>
>             header=Accept-Encoding=gzip, deflate, br
>
>             header=X-Forwarded-Server=webserver.mydomain.com
>
>             header=Upgrade=WebSocket
>
>             header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0)
> Gecko/20100101 Firefox/49.0
>
>             header=Connection=Upgrade
>
>             header=X-Forwarded-Proto=https
>
>             header=X-Forwarded-For=10.10.0.89
>
>             header=Upgrade-Insecure-Requests=1
>
>             header=Host=as.mydomain.com
>
>             header=X-Forwarded-Host=as.mydomain.com
>
>             locale=[fr, fr_FR, en_US, en]
>
>             method=GET
>
>           protocol=HTTP/1.1
>
>        queryString=
>
>         remoteAddr=10.10.0.89:0
>
>         remoteHost=10.10.0.89
>
>             scheme=https
>
>               host=as.mydomain.com
>
>         serverPort=0
>
> --------------------------RESPONSE--------------------------
>
>      contentLength=2740
>
>        contentType=text/html;charset=utf-8
>
>             header=Cache-Control=no-cache, must-revalidate, no-transform,
> no-store
>
>             header=X-Powered-By=Undertow/1
>
>             header=Server=WildFly/10
>
>             header=X-Frame-Options=SAMEORIGIN
>
>             header=Content-Security-Policy=frame-src 'self'
>
>             header=Date=Tue, 25 Oct 2016 10:23:59 GMT
>
>             header=Connection=keep-alive
>
>             header=X-Content-Type-Options=nosniff
>
>             header=Content-Type=text/html;charset=utf-8
>
>             header=Content-Length=2740
>
>             status=200
>
>
>
> 2/ Then, when clicking the Administration console link on the auth page :
>
>
>
> ==============================================================
>
> 2016-10-25 12:24:11,069 INFO  [io.undertow.request.dump] (default task-4)
>
> ----------------------------REQUEST---------------------------
>
>                URI=/auth/admin/
>
> characterEncoding=null
>
>      contentLength=-1
>
>        contentType=null
>
>             header=Accept=text/html,application/xhtml+xml,
> application/xml;q=0.9,*/*;q=0.8
>
>             header=Connection=keep-alive
>
>             header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
>
>             header=Accept-Encoding=gzip, deflate, br
>
>             header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0)
> Gecko/20100101 Firefox/49.0
>
>             header=Referer=https://as.mydomain.com/auth/
>
>             header=Upgrade-Insecure-Requests=1
>
>             header=Host=as.bridgestone-bae.corp
>
>             locale=[fr, fr_FR, en_US, en]
>
>             method=GET
>
>           protocol=HTTP/1.1
>
>        queryString=
>
>         remoteAddr=/10.10.2.134:47440
>
>         remoteHost=webserver.mydomain.com
>
>             scheme=http
>
>               host=as.mydomain.com
>
>         serverPort=18080
>
> --------------------------RESPONSE--------------------------
>
>      contentLength=0
>
>        contentType=null
>
>             header=Connection=keep-alive
>
>             header=X-Powered-By=Undertow/1
>
>             header=Server=WildFly/10
>
>             header=Location=http://as.mydomain.com/auth/admin/
> master/console/
>
>             header=Content-Length=0
>
>             header=Date=Tue, 25 Oct 2016 10:24:11 GMT
>
>             status=302
>
>
>
> Sourin Vincent - Systems Engineer
>
> Bridgestone Aircraft Tire (Europe)
>
> Route de Bavay - B7080 Frameries (Belgium)
>
> Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09
>
> GSM : +32 492 97 44 99
>
>
>
> *De :* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Envoyé :* mardi 25 octobre 2016 11:59
>
> *À :* Vincent Sourin <sourin-v at bridgestone-bae.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
>
>
>
> Strange. I can't see why that should ever redirect to non-https. Can you
> capture the requests that are being sent after you click on the link to see
> where/when the redirect to non-https is coming into play?
>
>
>
> On 25 October 2016 at 11:24, Vincent Sourin <sourin-v at bridgestone-bae.com>
> wrote:
>
> No, it is the link <a href="admin/">Administration Console</a>
>
> I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/
>
>
>
> Sourin Vincent - Systems Engineer
>
> Bridgestone Aircraft Tire (Europe)
>
> Route de Bavay - B7080 Frameries (Belgium)
>
> Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09
>
> GSM : +32 492 97 44 99
>
>
>
> *De :* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Envoyé :* mardi 25 octobre 2016 10:38
>
>
> *À :* Vincent Sourin <sourin-v at bridgestone-bae.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
>
>
>
> What specific link on the "welcome page" are you referring to? Is it the
> link in the text "You need local access to create the initial admin user.
> Open <a href="http://localhost:8080/auth">http://localhost:8080/auth</a>
> or use the add-user-keycloak script."?
>
>
>
> On 25 October 2016 at 10:05, Vincent Sourin <sourin-v at bridgestone-bae.com>
> wrote:
>
> All the URLs at the given address contain https and  the reverse proxy
> hostname.
>
>
>
> Sourin Vincent - Systems Engineer
>
> Bridgestone Aircraft Tire (Europe)
>
> Route de Bavay - B7080 Frameries (Belgium)
>
> Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09
>
> GSM : +32 492 97 44 99
>
>
>
> *De :* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Envoyé :* mardi 25 octobre 2016 09:49
>
>
> *À :* Vincent Sourin <sourin-v at bridgestone-bae.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
>
>
>
> Try:
>
>
>
> https://<hostname>/auth/realms/master/.well-known/openid-configuration
>
>
>
> And check the URLs in the page. They should contain https and correct
> hostname (for your reverse proxy, not Keycloak). If not there's an issue
> with your reverse proxy or it's not configured correctly in Keycloak
> server. Check the installation guide for more details.
>
>
>
> On 24 October 2016 at 21:38, Vincent Sourin <sourin-v at bridgestone-bae.com>
> wrote:
>
> Yes I think X-Forwarded-* Headers and preservation of original host are
> set.
>
>
>
> Actually, I’m not really a « network » guy. So for testing purpose, I use
> the bundle (httpd + ssl ) provided on mod_cluster website.
>
> I « tweak » the configuration to try to achieve SSL Termination and
> Websocket like this :
>
>
>
> ------------------------ Apache Configuration ----------------------------
>
> ServerRoot "/opt/jboss/httpd/httpd"
>
>
>
> LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so
>
>
> […]
>
> LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/
> modules/mod_rewrite.so
>
>
>
> <IfModule unixd_module>
>
> User daemon
>
> Group daemon
>
> </IfModule>
>
>
>
> <Directory />
>
>     AllowOverride none
>
>     Require all denied
>
> </Directory>
>
>
>
> DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
>
> <Directory "/opt/jboss/httpd/htdocs/htdocs">
>
>     Options Indexes FollowSymLinks
>
>     AllowOverride None
>
>     Require all granted
>
> </Directory>
>
>
>
> <IfModule dir_module>
>
>     DirectoryIndex index.html
>
> </IfModule>
>
>
>
> <Files ".ht*">
>
>     Require all denied
>
> </Files>
>
>
>
> ErrorLog "logs/error_log"
>
> LogLevel  warn
>
>
>
> <IfModule log_config_module>
>
>     LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
>
>     LogFormat "%h %l %u %t \"%r\" %>s %b" common
>
>     <IfModule logio_module>
>
>       LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\" %I %O" combinedio
>
>     </IfModule>
>
>     SetEnvIf Request_URI "^/check\.txt$" dontlog
>
>     CustomLog "logs/access.log" combined env=!dontlog
>
> </IfModule>
>
>
>
> <IfModule alias_module>
>
>     ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/"
>
> </IfModule>
>
>
>
> <IfModule cgid_module>
>
> </IfModule>
>
>
>
> <Directory "/opt/jboss/httpd/htdocs/cgi-bin">
>
>     AllowOverride None
>
>     Options None
>
>     Require all granted
>
> </Directory>
>
>
>
> <IfModule mime_module>
>
>     TypesConfig conf/mime.types
>
>     AddType application/x-compress .Z
>
>     AddType application/x-gzip .gz .tgz
>
> </IfModule>
>
>
>
> <IfModule proxy_html_module>
>
> Include conf/extra/proxy-html.conf
>
> </IfModule>
>
>
>
> <IfModule ssl_module>
>
> SSLRandomSeed startup builtin
>
> SSLRandomSeed connect builtin
>
> </IfModule>
>
>
>
> MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
>
> SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/
> logs/ssl_gcache_data(512000)"
>
> EnableWsTunnel
>
>
>
> Listen XXXXXXXX:443
>
> <VirtualHost *:443>
>
>     ServerName XXXXXXXXXXXXXXX
>
>
>
>     CreateBalancers 0
>
>
>
>      <Location /mcm>
>
>         AllowDisplay On
>
>         SetHandler mod_cluster-manager
>
>         Require ip 10.10
>
>     </Location>
>
>
>
>     <Location /check.txt>
>
>        ProxyPass !
>
>     </Location>
>
>
>
>     SSLEngine on
>
>     SSLProtocol  all -SSLv2
>
>     SSLHonorCipherOrder on
>
>     SSLCertificateFile /opt/mod_cluster-certs/CERT.pem
>
>     SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem
>
>     SSLCACertificateFile /opt/mod_cluster-certs/CA.pem
>
>     SSLVerifyClient none
>
>
>
>     ProxyPreserveHost On
>
>     RequestHeader Set X-Forwarded-Proto "https"
>
>
>
> </VirtualHost>
>
>
>
> <IfModule manager_module>
>
>   Listen XXXXXXXXX:6666
>
>   <VirtualHost *:6666>
>
>     ServerName XXXXXXXXXXXXXXXXX
>
>
>
>     <Location />
>
>      Require ip 10.10
>
>     </Location>
>
>
>
>     AllowDisplay On
>
>     KeepAliveTimeout 300
>
>     MaxKeepAliveRequests 0
>
>     ServerAdvertise on
>
>     AdvertiseFrequency 5
>
>     AdvertiseGroup 224.0.1.205:24364
>
>     EnableMCPMReceive
>
>     ManagerBalancerName mycluster
>
>
>
>     ProxyPreserveHost On
>
>     RequestHeader Set X-Forwarded-Proto "https"
>
>
>
>   </VirtualHost>
>
> </IfModule>
>
> ------------------------ Apache Configuration ----------------------------
>
>
>
>
>
> *De :* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Envoyé :* lundi 24 octobre 2016 08:08
> *À :* Vincent Sourin <sourin-v at bridgestone-bae.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
>
>
>
> Is your proxy setting  X-Forwarded-For, X-Forwarded-Proto and also
> preserving the preserving the original Host header?
>
>
>
> On 22 October 2016 at 13:19, Vincent Sourin <sourin-v at bridgestone-bae.com>
> wrote:
>
> Hello,
>
> I've got a strange behavior with Keycloak instance (version 2.2.1 Final)
> behind an Apache Reverse Proxy (with Mod_cluster).
>
> First of all, here is my test environment : https://postimg.org/image/
> z7xrb08ev/
>
> I think it's worth mention that :
>
> *         Wildfly & keycloak are installed on the same servers but each in
> separate instances (not using overlay deployment)
>
> *         mod_cluster is configured in http mode (not ajp) with
> mod_proxy_wstunnel activated because I use Websocket with wildfly
>
> So, in this configuration, applications deployed on wildfly instances work
> well but I got some problem with Keycloak.
> Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as
> soon as I click on the link < Aministration Console > (resolved normally to
> https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to
> plain http connection and so the request failed.
>
> If I browse directly to https://XXXXXXX/auth/admin/ my browser complains
> about < some insecured items on the page > and I can't reach the console
> neither.
>
> Here a a snippet of my keycloak configuration :
>
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
>                 <server name="default-server">
>                  <http-listener name="default" proxy-address-forwarding="true"
> socket-binding="http" redirect-socket="proxy-https"/>
>                     <https-listener name="https"
> enabled-protocols="TLSv1.2" security-realm="UndertowRealm"
> socket-binding="https"/>
>                    [...]
> </subsystem>
> [...]
> <subsystem xmlns="urn:jboss:domain:modcluster:2.0">
>                 <mod-cluster-config advertise-socket="modcluster"
> connector="default">
>                     <dynamic-load-provider>
>                         <load-metric type="cpu"/>
>                     </dynamic-load-provider>
> </mod-cluster-config>
> </subsystem>
> [...]
> <socket-binding-groups>
>         <socket-binding-group name="ha-sockets" default-interface="public">
>             [...]
>            <socket-binding name="proxy-https" port="443"/>
>             [...]
>         </socket-binding-group>
>     </socket-binding-groups>
>
> Can someone tell me what I'm doing wrong or give me the right direction to
> further investigate this behavior ?
>
> Thanks for your help.
>
> Vincent.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
>


More information about the keycloak-user mailing list