[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Vincent Sourin
sourin-v at bridgestone-bae.com
Tue Oct 25 07:10:05 EDT 2016
Arf, yes my bad, I tried to sanitize the logs and missed this one …
I think the problem come from the missing headers.
I’ll investigate on this and keep you posted.
De : Stian Thorgersen [mailto:sthorger at redhat.com]
Envoyé : mardi 25 octobre 2016 12:35
À : Vincent Sourin <sourin-v at bridgestone-bae.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Did you do replace some values in what you pasted? In the second request it's also showing a strange value for Host:
header=Referer=https://as.mydomain.com/auth/
header=Host=as.bridgestone-bae.corp
Referrer is as.mydomain.com<http://as.mydomain.com>, but it's trying to get as.bridgestone-bae.corp. Then there's also missing X-Forwarded* headers yes.
On 25 October 2016 at 12:31, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Here is the captured packets dumped by Undertow.
Strangely, on the second request I don’t see X-Forwarded-* Header in the request.
I don’t think it’s normal ?
1/ First when browsing to https://as.mydomain.com/auth
==============================================================
2016-10-25 12:23:59,164 INFO [io.undertow.request.dump] (default task-3)
----------------------------REQUEST---------------------------
URI=/auth/
characterEncoding=null
contentLength=-1
contentType=null
header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
header=Accept-Encoding=gzip, deflate, br
header=X-Forwarded-Server=webserver.mydomain.com<http://webserver.mydomain.com>
header=Upgrade=WebSocket
header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
header=Connection=Upgrade
header=X-Forwarded-Proto=https
header=X-Forwarded-For=10.10.0.89
header=Upgrade-Insecure-Requests=1
header=Host=as.mydomain.com<http://as.mydomain.com>
header=X-Forwarded-Host=as.mydomain.com<http://as.mydomain.com>
locale=[fr, fr_FR, en_US, en]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=10.10.0.89:0<http://10.10.0.89:0>
remoteHost=10.10.0.89
scheme=https
host=as.mydomain.com<http://as.mydomain.com>
serverPort=0
--------------------------RESPONSE--------------------------
contentLength=2740
contentType=text/html;charset=utf-8
header=Cache-Control=no-cache, must-revalidate, no-transform, no-store
header=X-Powered-By=Undertow/1
header=Server=WildFly/10
header=X-Frame-Options=SAMEORIGIN
header=Content-Security-Policy=frame-src 'self'
header=Date=Tue, 25 Oct 2016 10:23:59 GMT
header=Connection=keep-alive
header=X-Content-Type-Options=nosniff
header=Content-Type=text/html;charset=utf-8
header=Content-Length=2740
status=200
2/ Then, when clicking the Administration console link on the auth page :
==============================================================
2016-10-25 12:24:11,069 INFO [io.undertow.request.dump] (default task-4)
----------------------------REQUEST---------------------------
URI=/auth/admin/
characterEncoding=null
contentLength=-1
contentType=null
header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
header=Connection=keep-alive
header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
header=Accept-Encoding=gzip, deflate, br
header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
header=Referer=https://as.mydomain.com/auth/
header=Upgrade-Insecure-Requests=1
header=Host=as.bridgestone-bae.corp
locale=[fr, fr_FR, en_US, en]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=/10.10.2.134:47440<http://10.10.2.134:47440>
remoteHost=webserver.mydomain.com<http://webserver.mydomain.com>
scheme=http
host=as.mydomain.com<http://as.mydomain.com>
serverPort=18080
--------------------------RESPONSE--------------------------
contentLength=0
contentType=null
header=Connection=keep-alive
header=X-Powered-By=Undertow/1
header=Server=WildFly/10
header=Location=http://as.mydomain.com/auth/admin/master/console/
header=Content-Length=0
header=Date=Tue, 25 Oct 2016 10:24:11 GMT
status=302
Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53<tel:%2B32%2065%2061%2011%2053> - Fax: +32 65 61 11 09<tel:%2B32%2065%2061%2011%2009>
GSM : +32 492 97 44 99<tel:%2B32%20492%2097%2044%2099>
De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : mardi 25 octobre 2016 11:59
À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Strange. I can't see why that should ever redirect to non-https. Can you capture the requests that are being sent after you click on the link to see where/when the redirect to non-https is coming into play?
On 25 October 2016 at 11:24, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
No, it is the link <a href="admin/">Administration Console</a>
I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/
Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53<tel:%2B32%2065%2061%2011%2053> - Fax: +32 65 61 11 09<tel:%2B32%2065%2061%2011%2009>
GSM : +32 492 97 44 99<tel:%2B32%20492%2097%2044%2099>
De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : mardi 25 octobre 2016 10:38
À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
What specific link on the "welcome page" are you referring to? Is it the link in the text "You need local access to create the initial admin user. Open <a href="http://localhost:8080/auth">http://localhost:8080/auth</a> or use the add-user-keycloak script."?
On 25 October 2016 at 10:05, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
All the URLs at the given address contain https and the reverse proxy hostname.
Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53<tel:%2B32%2065%2061%2011%2053> - Fax: +32 65 61 11 09<tel:%2B32%2065%2061%2011%2009>
GSM : +32 492 97 44 99<tel:%2B32%20492%2097%2044%2099>
De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : mardi 25 octobre 2016 09:49
À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Try:
https://<hostname>/auth/realms/master/.well-known/openid-configuration<https://%3chostname%3e/auth/realms/master/.well-known/openid-configuration>
And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details.
On 24 October 2016 at 21:38, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Yes I think X-Forwarded-* Headers and preservation of original host are set.
Actually, I’m not really a « network » guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website.
I « tweak » the configuration to try to achieve SSL Termination and Websocket like this :
------------------------ Apache Configuration ----------------------------
ServerRoot "/opt/jboss/httpd/httpd"
LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so
[…]
LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
<Directory "/opt/jboss/httpd/htdocs/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
SetEnvIf Request_URI "^/check\.txt$" dontlog
CustomLog "logs/access.log" combined env=!dontlog
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/opt/jboss/httpd/htdocs/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)"
EnableWsTunnel
Listen XXXXXXXX:443
<VirtualHost *:443>
ServerName XXXXXXXXXXXXXXX
CreateBalancers 0
<Location /mcm>
AllowDisplay On
SetHandler mod_cluster-manager
Require ip 10.10
</Location>
<Location /check.txt>
ProxyPass !
</Location>
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCertificateFile /opt/mod_cluster-certs/CERT.pem
SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem
SSLCACertificateFile /opt/mod_cluster-certs/CA.pem
SSLVerifyClient none
ProxyPreserveHost On
RequestHeader Set X-Forwarded-Proto "https"
</VirtualHost>
<IfModule manager_module>
Listen XXXXXXXXX:6666
<VirtualHost *:6666>
ServerName XXXXXXXXXXXXXXXXX
<Location />
Require ip 10.10
</Location>
AllowDisplay On
KeepAliveTimeout 300
MaxKeepAliveRequests 0
ServerAdvertise on
AdvertiseFrequency 5
AdvertiseGroup 224.0.1.205:24364<http://224.0.1.205:24364>
EnableMCPMReceive
ManagerBalancerName mycluster
ProxyPreserveHost On
RequestHeader Set X-Forwarded-Proto "https"
</VirtualHost>
</IfModule>
------------------------ Apache Configuration ----------------------------
De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : lundi 24 octobre 2016 08:08
À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header?
On 22 October 2016 at 13:19, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Hello,
I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster).
First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/
I think it's worth mention that :
* Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment)
* mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly
So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak.
Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed.
If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither.
Here a a snippet of my keycloak configuration :
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<server name="default-server">
<http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/>
<https-listener name="https" enabled-protocols="TLSv1.2" security-realm="UndertowRealm" socket-binding="https"/>
[...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster" connector="default">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
<socket-binding-group name="ha-sockets" default-interface="public">
[...]
<socket-binding name="proxy-https" port="443"/>
[...]
</socket-binding-group>
</socket-binding-groups>
Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ?
Thanks for your help.
Vincent.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list