[keycloak-user] Getting 401 if trying to access app via loadbalancer

Marek Posolda mposolda at redhat.com
Fri Sep 9 03:38:13 EDT 2016 

This is set from the HTTP request url, so it looks that your Keycloak is 
seeing ""http://machine01.our.domain:8081/auth" as the request URL 
instead of "http://lb.our.domain/auth/admin/governance/console/config" . 
Maybe the set of |X-Forwarded-Host on your LB side?

Marek

|On 08/09/16 13:05, KASALA Štefan wrote:
>
> Hello,
>
> Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache 
> httpd proxy in front of the server. We configured keycloak server 
> according to 
> https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html. 
>
>
> The configuration is still not complete/correct, probably I missed 
> something. When I access proxied url for either of our configured 
> realms I got unproxied auth-server-url:
>
> [localuser at machine01:~/keycloak]$ curl -s 
> http://lb.our.domain/auth/admin/governance/console/config | python -m 
> json.tool
>
> {
>
> "auth-server-url": "http://machine01.our.domain:8081/auth",
>
> "public-client": true,
>
> "realm": "governance",
>
> "realm-public-key": 
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
>
> "resource": "security-admin-console",
>
> "ssl-required": "external"
>
> }
>
> [localuser at machine01:~/keycloak]$ curl -s 
> http://lb.our.domain/auth/admin/master/console/config | python -m 
> json.tool
>
> {
>
> "auth-server-url": "http://machine01.our.domain:8081/auth",
>
> "public-client": true,
>
> "realm": "master",
>
> "realm-public-key": 
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB",
>
> "resource": "security-admin-console",
>
> "ssl-required": "external"
>
> }
>
> How can I configure it to return the proxied version? Thanks.
>
> Stefan.
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, June 28, 2016 3:51 PM
> *To:* KASALA Štefan <Stefan.Kasala at posam.sk>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Getting 401 if trying to access app via 
> loadbalancer
>
> Firstly, please upgrade to a more recent Keycloak version. Then refer 
> to 
> https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html 
> for details on how to setup a reverse proxy / load balancer in front 
> of Keycloak.
>
> On 27 June 2016 at 09:18, KASALA Štefan <Stefan.Kasala at posam.sk 
> <mailto:Stefan.Kasala at posam.sk>> wrote:
>
>     Hello,
>
>     we have installed JBoss Overlord Rtgov 2.1.0 which is using
>     Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name
>     it with hostname app01. We have a load balancer under another
>     hostname lbapp in front of the deployed app. I am able to call the
>     rest interface of RtGov directly on machine app01 but not using
>     lbapp, I get 401 - Unauthorized from Keycloak. My guess is there
>     is some check against hostname in http request. Is there some
>     possibility to register aliases with the keycloak to enable calls
>     via load balancer? Thanks.
>
>     Stefan Kasala
>
>     ------------------------------------------------------------------------
>
>
>     Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
>     dôverné alebo interné informácie. Ak ste ju omylom obdržali,
>     upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
>     spôsob použitia tohto e-mailu je zakázaný.
>
>     This message is for the designated recipient only and may contain
>     confidential or internal information. If you have received it in
>     error, please notify the sender immediately and delete the
>     original. Any other use of the e-mail by you is prohibited.
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> ------------------------------------------------------------------------
>
> Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať 
> dôverné alebo interné informácie. Ak ste ju omylom obdržali, 
> upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný 
> spôsob použitia tohto e-mailu je zakázaný.
>
> This message is for the designated recipient only and may contain 
> confidential or internal information. If you have received it in 
> error, please notify the sender immediately and delete the original. 
> Any other use of the e-mail by you is prohibited.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/36f64f56/attachment-0001.html

More information about the keycloak-user mailing list