[keycloak-user] illegal character in path when testing email setup

Tiemen Ruiten t.ruiten at rdmedia.com
Thu Aug 3 08:07:38 EDT 2017 

Figured it out, I needed to remove the final '/' on the proxy_pass line so
it reads:

proxy_pass          http://localhost:8080;

See also: https://forum.nginx.org/read.php?2,75231,175775#msg-175775

And in the nginx docs for proxy_pass
<http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass>:

If proxy_pass is specified without a URI, the request URI is passed to the
server in the same form as sent by a client when the original request is
processed, or the full normalized request URI is passed when processing the
changed URI:

location /some/path/ {
    proxy_pass http://127.0.0.1;
}



On 3 August 2017 at 11:34, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:

> I pinned this down: it's only an issue when running Keycloak behind an
> nginx proxy.
>
> My current stripped down nginx config:
>
> /etc/nginx/nginx.conf:
>
>  include                             /usr/share/nginx/modules/*.conf;
>  user                                nginx;
>  error_log                           /var/log/nginx/error.log;
>  pid                                 /run/nginx.pid;
>  worker_processes                    auto;
>  worker_rlimit_nofile                30000;
>  events {
>      worker_connections              4096;
>      multi_accept                    on;
>  }
>  http {
>      log_format                       main   '$http_host $remote_addr
> [$time_local] '
>                                              '"$request" $status
> $body_bytes_sent '
>                                              '"$http_referer"
> "$http_user_agent" '
>                                              '$request_time
> $upstream_response_time';
>      access_log                      /var/log/nginx/access.log main;
>      server_tokens                   off;
>      include                         /etc/nginx/mime.types;
>      include /etc/nginx/conf.d/*.conf;
> }
>
> /etc/nginx/conf.d/keycloak.conf
>
> server {
>   listen              443 ssl;
>   server_name         REDACTED;
>   ssl_certificate     /etc/pki/tls/certs/REDACTED.cer;
>   ssl_certificate_key /etc/pki/tls/private/REDACTED.key;
>
>   location / {
>     proxy_http_version  1.1;
>     proxy_pass          http://localhost:8080/;
>     proxy_set_header    Host                            $host;
>     proxy_set_header    X-Real-IP                       $remote_addr;
>     proxy_set_header    X-Forwarded-For
> $proxy_add_x_forwarded_for;
>     proxy_set_header    X-Forwarded-Proto               $scheme;
>     proxy_set_header    X-Forwarded-Port                443;
>   }
> }
>
> Is there a recommended nginx configuration for Keycloak?
>
> On 14 July 2017 at 11:59, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> I've tried the same steps and we have tests that do the same steps. So
>> there's something more to it. You can create a JIRA sure, but we need to be
>> able to reproduce it.
>>
>> Ideal is that you can reproduce it with a fresh install of Keycloak
>> directly on your box with a fresh DB as well.
>>
>> On 14 July 2017 at 10:42, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>>
>>> Stian, does this help? Should I file a bug report?
>>>
>>> If anyone could give me some pointers for a workaround, that would also
>>> be much appreciated.
>>>
>>>
>>> On 12 July 2017 at 13:09, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>>>
>>>> OK, so I rolled a new Keycloak instance and it gives me the exact same
>>>> error. Reproducing is trivial:
>>>>
>>>> - login
>>>> - click Realm Settings
>>>> - click Email tab
>>>> - Fill in Host and From fields
>>>> - Hit 'Test connection'
>>>>
>>>>  I can share the Ansible playbook I used to setup the VM privately if
>>>> you'd like.
>>>>
>>>> On 12 July 2017 at 11:43, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>>>>
>>>>> Hm, it's an almost vanilla Keycloak setup (however upgraded from 3.1.0
>>>>> to 3.2.0), in fact the only changes in standalone.xml are related to the
>>>>> keystore and database. I'll see if I can setup another instance and
>>>>> reproduce there.
>>>>>
>>>>> On 11 July 2017 at 07:35, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Tried to reproduce this, but can't and it's working just fine here.
>>>>>> Do you have steps to reproduce?
>>>>>>
>>>>>> On 10 July 2017 at 16:04, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I get the following error when hitting the 'Test connection' button
>>>>>>> on the
>>>>>>> email tab in Realm settings:
>>>>>>>
>>>>>>> 2017-07-10 15:55:27,316 INFO  [org.jboss.as] (Controller Boot
>>>>>>> Thread)
>>>>>>> WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)*
>>>>>>> started in
>>>>>>>
>>>>>>> 21731ms - Started 449 of 824 services (561 services are lazy,
>>>>>>> passive or
>>>>>>> on-demand)
>>>>>>> 2017-07-10 15:56:48,997 WARN  [org.jboss.resteasy.resteasy_j
>>>>>>> axrs.i18n]
>>>>>>> (default task-11) RESTEASY002130: Failed to parse request.:
>>>>>>> javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to
>>>>>>> create URI:
>>>>>>> https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{
>>>>>>> "port":null,"host":"mail.rdmedia.com
>>>>>>> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"}
>>>>>>> at
>>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu
>>>>>>> es(ResteasyUriBuilder.java:749)
>>>>>>> at
>>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(Resteas
>>>>>>> yUriBuilder.java:721)
>>>>>>> at
>>>>>>> org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUr
>>>>>>> iInfo.java:58)
>>>>>>> at org.jboss.resteasy.spi.ResteasyUriInfo.<init>(ResteasyUriInf
>>>>>>> o.java:53)
>>>>>>> at
>>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletUtil.extrac
>>>>>>> tUriInfo(ServletUtil.java:41)
>>>>>>> at
>>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>>>>>>> spatcher.service(ServletContainerDispatcher.java:200)
>>>>>>> at
>>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>>>>>> her.service(HttpServletDispatcher.java:56)
>>>>>>> at
>>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>>>>>> her.service(HttpServletDispatcher.java:51)
>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>>>>>>> rvletHandler.java:85)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>>>>>> oFilter(FilterHandler.java:129)
>>>>>>> at
>>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.d
>>>>>>> oFilter(KeycloakSessionServletFilter.java:90)
>>>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>>>>>>> r.java:60)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>>>>>> oFilter(FilterHandler.java:131)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>>>>>>> terHandler.java:84)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>>>>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>>>>>>> eRequest(ServletDispatchingHandler.java:36)
>>>>>>> at
>>>>>>> org.wildfly.extension.undertow.security.SecurityContextAssoc
>>>>>>> iationHandler.handleRequest(SecurityContextAssociationHandle
>>>>>>> r.java:78)
>>>>>>> at
>>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>>> redicateHandler.java:43)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociat
>>>>>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>>>> at
>>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>>> redicateHandler.java:43)
>>>>>>> at
>>>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>>>> aintHandler.java:64)
>>>>>>> at
>>>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>>>> at
>>>>>>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>>>> at
>>>>>>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>>>> Handler.java:43)
>>>>>>> at
>>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>>> redicateHandler.java:43)
>>>>>>> at
>>>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>>>> at
>>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>>> redicateHandler.java:43)
>>>>>>> at
>>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>>> redicateHandler.java:43)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>>>> stRequest(ServletInitialHandler.java:284)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>>>> equest(ServletInitialHandler.java:263)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>>>> 0(ServletInitialHandler.java:81)
>>>>>>> at
>>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>>>> equest(ServletInitialHandler.java:174)
>>>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>>>> java:202)
>>>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>>>> ge.java:793)
>>>>>>> at
>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>>>> Executor.java:1142)
>>>>>>> at
>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>>>> lExecutor.java:617)
>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>> Caused by: java.net.URISyntaxException: Illegal character in path at
>>>>>>> index
>>>>>>> 67: https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConn
>>>>>>> ection/{
>>>>>>> "port":null,"host":"mail.rdmedia.com
>>>>>>> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"}
>>>>>>> at java.net.URI$Parser.fail(URI.java:2848)
>>>>>>> at java.net.URI$Parser.checkChars(URI.java:3021)
>>>>>>> at java.net.URI$Parser.parseHierarchical(URI.java:3105)
>>>>>>> at java.net.URI$Parser.parse(URI.java:3053)
>>>>>>> at java.net.URI.<init>(URI.java:588)
>>>>>>> at
>>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu
>>>>>>> es(ResteasyUriBuilder.java:744)
>>>>>>> ... 40 more
>>>>>>>
>>>>>>> The 67th character is the slash after testSMTPConnection. Is this a
>>>>>>> bug
>>>>>>> and/or is there a workaround/fix?
>>>>>>>
>>>>>>> --
>>>>>>> Tiemen Ruiten
>>>>>>> Systems Engineer
>>>>>>> R&D Media
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Tiemen Ruiten
>>>>> Systems Engineer
>>>>> R&D Media
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Tiemen Ruiten
>>>> Systems Engineer
>>>> R&D Media
>>>>
>>>
>>>
>>>
>>> --
>>> Tiemen Ruiten
>>> Systems Engineer
>>> R&D Media
>>>
>>
>>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>



-- 
Tiemen Ruiten
Systems Engineer
R&D Media

More information about the keycloak-user mailing list