[keycloak-user] Getting 401 if trying to access app via loadbalancer

Stian Thorgersen sthorger at redhat.com
Mon Sep 12 02:52:47 EDT 2016


Have you set proxy-address-forwarding=true? I thought that was supposed to
look at X-Forwarded-Host.

On 9 September 2016 at 11:45, KASALA Štefan <Stefan.Kasala at posam.sk> wrote:

> Hello,
>
> thanks for hints, I added request header dumps for keycloak server:
>
>
>
> curl -s http://lb.our.domain/auth/admin/master/console/config | python -m
> json.tool
>
>                 keycloak server log:
>
>                                 2016-09-09 11:38:40,825 DEBUG
> [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15)
> RESTEASY002315: PathInfo: /admin/master/console/config
>
>                                 2016-09-09 11:38:40,826 INFO
> [io.undertow.request.dump] (default task-15)
>
>                                 ----------------------------
> REQUEST---------------------------
>
>                                                URI=/auth/admin/master/
> console/config
>
>                                 characterEncoding=null
>
>                                      contentLength=-1
>
>                                        contentType=null
>
>                                             header=Accept=*/*
>
>                                             header=Connection=Keep-Alive
>
>                                             header=X-Forwarded-For=10.231.
> 79.183
>
>                                             header=X-Forwarded-Server=lb.
> our.domain
>
>                                             header=User-Agent=curl/7.49.1
>
>                                             header=Host=machine01.our.
> domain:8081
>
>                                             header=X-Forwarded-Host=lb.
> our.domain
>
>                                             locale=[]
>
>                                             method=GET
>
>                                           protocol=HTTP/1.1
>
>                                        queryString=
>
>                                         remoteAddr=10.231.79.183:0
>
>                                         remoteHost=10.231.79.183
>
>                                             scheme=http
>
>
> host=machine01.our.domain:8081
>
>                                         serverPort=0
>
>                                 --------------------------
> RESPONSE--------------------------
>
>                                      contentLength=574
>
>                                        contentType=application/json
>
>                                             header=Connection=keep-alive
>
>                                             header=Cache-Control=no-cache
>
>                                             header=X-Powered-By=Undertow/1
>
>                                             header=Server=WildFly/10
>
>                                             header=Content-Type=
> application/json
>
>                                             header=Content-Length=574
>
>                                             header=Date=Fri, 09 Sep 2016
> 09:38:40 GMT
>
>                                             status=200
>
>                                 ==============================
> ================================
>
>                 out:
>
>                                 {
>
>                                     "auth-server-url": "
> http://machine01.our.domain:8081/auth",
>
>                                     "public-client": true,
>
>                                     "realm": "master",
>
>                                     "realm-public-key": "
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/
> n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/
> bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE
> 1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUF
> lc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdF
> oCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv
> 4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB",
>
>                                     "resource": "security-admin-console",
>
>                                     "ssl-required": "external"
>
>                                 }
>
>
>
> Is it possible to configure keycloak / undertow to use X-Forwarded-Host
> header for absolute urls, or we have to forward original host to keycloak?
>
> Thanks
>
>
>
> Stefan
>
>
>
> *From:* Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Friday, September 9, 2016 9:38 AM
> *To:* KASALA Štefan <Stefan.Kasala at posam.sk>;
> keycloak-user at lists.jboss.org
>
> *Subject:* Re: [keycloak-user] Getting 401 if trying to access app via
> loadbalancer
>
>
>
> This is set from the HTTP request url, so it looks that your Keycloak is
> seeing ""http://machine01.our.domain:8081/auth"
> <http://machine01.our.domain:8081/auth> as the request URL instead of "
> http://lb.our.domain/auth/admin/governance/console/config" . Maybe the
> set of X-Forwarded-Host on your LB side?
>
> Marek
>
> On 08/09/16 13:05, KASALA Štefan wrote:
>
> Hello,
>
> Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache
> httpd proxy in front of the server. We configured keycloak server according
> to https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/topics/clustering/load-balancer.html.
>
>
>
> The configuration is still not complete/correct, probably I missed
> something. When I access proxied url for either of our configured realms I
> got unproxied auth-server-url:
>
> [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/
> admin/governance/console/config | python -m json.tool
>
> {
>
>     "auth-server-url": "http://machine01.our.domain:8081/auth"
> <http://machine01.our.domain:8081/auth>,
>
>     "public-client": true,
>
>     "realm": "governance",
>
>     "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
> CBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1
> tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfP
> LPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
>
>     "resource": "security-admin-console",
>
>     "ssl-required": "external"
>
> }
>
>
>
> [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/
> admin/master/console/config | python -m json.tool
>
> {
>
>     "auth-server-url": "http://machine01.our.domain:8081/auth"
> <http://machine01.our.domain:8081/auth>,
>
>     "public-client": true,
>
>     "realm": "master",
>
>     "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ
> 8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRy
> QeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z1
> 2pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91H
> k7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/
> XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/
> fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB",
>
>     "resource": "security-admin-console",
>
>     "ssl-required": "external"
>
> }
>
>
>
> How can I configure it to return the proxied version? Thanks.
>
> Stefan.
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com <sthorger at redhat.com>]
>
> *Sent:* Tuesday, June 28, 2016 3:51 PM
> *To:* KASALA Štefan <Stefan.Kasala at posam.sk> <Stefan.Kasala at posam.sk>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Getting 401 if trying to access app via
> loadbalancer
>
>
>
> Firstly, please upgrade to a more recent Keycloak version. Then refer to
> https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/topics/clustering/load-balancer.html for details on
> how to setup a reverse proxy / load balancer in front of Keycloak.
>
>
>
> On 27 June 2016 at 09:18, KASALA Štefan <Stefan.Kasala at posam.sk> wrote:
>
> Hello,
>
> we have installed JBoss Overlord Rtgov 2.1.0 which is using
> Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with
> hostname app01. We have a load balancer under another hostname lbapp in
> front of the deployed app. I am able to call the rest interface of RtGov
> directly on machine app01 but not using lbapp, I get 401 - Unauthorized
> from Keycloak. My guess is there is some check against hostname in http
> request. Is there some possibility to register aliases with the keycloak to
> enable calls via load balancer? Thanks.
>
> Stefan Kasala
>
>
> ------------------------------
>
>
> Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné
> alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom
> prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto
> e-mailu je zakázaný.
>
> This message is for the designated recipient only and may contain
> confidential or internal information. If you have received it in error,
> please notify the sender immediately and delete the original. Any other use
> of the e-mail by you is prohibited.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
>
> Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné
> alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom
> prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto
> e-mailu je zakázaný.
>
> This message is for the designated recipient only and may contain
> confidential or internal information. If you have received it in error,
> please notify the sender immediately and delete the original. Any other use
> of the e-mail by you is prohibited.
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> ------------------------------
>
> Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné
> alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom
> prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto
> e-mailu je zakázaný.
>
> This message is for the designated recipient only and may contain
> confidential or internal information. If you have received it in error,
> please notify the sender immediately and delete the original. Any other use
> of the e-mail by you is prohibited.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/e3b76836/attachment-0001.html 


More information about the keycloak-user mailing list