[keycloak-user] Getting 401 if trying to access app via loadbalancer
Marek Posolda
mposolda at redhat.com
Fri Sep 9 03:38:13 EDT 2016
This is set from the HTTP request url, so it looks that your Keycloak is
seeing ""http://machine01.our.domain:8081/auth" as the request URL
instead of "http://lb.our.domain/auth/admin/governance/console/config" .
Maybe the set of |X-Forwarded-Host on your LB side?
Marek
|On 08/09/16 13:05, KASALA Štefan wrote:
>
> Hello,
>
> Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache
> httpd proxy in front of the server. We configured keycloak server
> according to
> https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html.
>
>
> The configuration is still not complete/correct, probably I missed
> something. When I access proxied url for either of our configured
> realms I got unproxied auth-server-url:
>
> [localuser at machine01:~/keycloak]$ curl -s
> http://lb.our.domain/auth/admin/governance/console/config | python -m
> json.tool
>
> {
>
> "auth-server-url": "http://machine01.our.domain:8081/auth",
>
> "public-client": true,
>
> "realm": "governance",
>
> "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
>
> "resource": "security-admin-console",
>
> "ssl-required": "external"
>
> }
>
> [localuser at machine01:~/keycloak]$ curl -s
> http://lb.our.domain/auth/admin/master/console/config | python -m
> json.tool
>
> {
>
> "auth-server-url": "http://machine01.our.domain:8081/auth",
>
> "public-client": true,
>
> "realm": "master",
>
> "realm-public-key":
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB",
>
> "resource": "security-admin-console",
>
> "ssl-required": "external"
>
> }
>
> How can I configure it to return the proxied version? Thanks.
>
> Stefan.
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, June 28, 2016 3:51 PM
> *To:* KASALA Štefan <Stefan.Kasala at posam.sk>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Getting 401 if trying to access app via
> loadbalancer
>
> Firstly, please upgrade to a more recent Keycloak version. Then refer
> to
> https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html
> for details on how to setup a reverse proxy / load balancer in front
> of Keycloak.
>
> On 27 June 2016 at 09:18, KASALA Štefan <Stefan.Kasala at posam.sk
> <mailto:Stefan.Kasala at posam.sk>> wrote:
>
> Hello,
>
> we have installed JBoss Overlord Rtgov 2.1.0 which is using
> Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name
> it with hostname app01. We have a load balancer under another
> hostname lbapp in front of the deployed app. I am able to call the
> rest interface of RtGov directly on machine app01 but not using
> lbapp, I get 401 - Unauthorized from Keycloak. My guess is there
> is some check against hostname in http request. Is there some
> possibility to register aliases with the keycloak to enable calls
> via load balancer? Thanks.
>
> Stefan Kasala
>
> ------------------------------------------------------------------------
>
>
> Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
> dôverné alebo interné informácie. Ak ste ju omylom obdržali,
> upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
> spôsob použitia tohto e-mailu je zakázaný.
>
> This message is for the designated recipient only and may contain
> confidential or internal information. If you have received it in
> error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> ------------------------------------------------------------------------
>
> Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
> dôverné alebo interné informácie. Ak ste ju omylom obdržali,
> upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
> spôsob použitia tohto e-mailu je zakázaný.
>
> This message is for the designated recipient only and may contain
> confidential or internal information. If you have received it in
> error, please notify the sender immediately and delete the original.
> Any other use of the e-mail by you is prohibited.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/36f64f56/attachment-0001.html
More information about the keycloak-user
mailing list