[keycloak-user] Getting the client-IP behind a reverse proxy with HTTPS

Stian Thorgersen sthorger at redhat.com
Wed Jan 11 05:23:49 EST 2017


https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html

On 10 January 2017 at 12:09, Olivier Bruylandt <olivier.bruylandt at gmail.com>
wrote:

> Dear,
>
>
> I get an issue to get the wanted behavior when retrieving the client public
> IP.
> This is the situation :
> (all IP's have been anonymized)
>
>
>
> - *infrastructure level*:
>
> ----------- Reverse Proxy NGINX -----------------------------------
> KeyCloak
>
> RP is listening on ports 80 & 443 (80 is redirected to 443)
> There is a public certificate signed by some external CA
> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> Keycloak is set as standalone server on a Wildfly last version
>
>
>
>
> - *Nginx config*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *server {        listen 443;        server_name ************;
> fastcgi_param HTTPS on;        location / {                add_header
> X-Cache-Status $upstream_cache_status;                add_header X-Real-IP
>  $remote_addr;                add_header X-Forwarded-For $remote_addr;
>           add_header X-Forwarded-Proto $scheme;
> more_set_headers 'Server: ******';                more_clear_headers
> 'X-Powered-By';                charset UTF-8;                proxy_cache
>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> <https://1.1.1.1:8443/>;        }*
>
>
>
>
>
>
>
>
>
>
>
>
> *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
>              ssl_certificate_key /etc/ssl/private/*************.key;
> ssl_prefer_server_ciphers on;        ssl_dhparam /etc/ssl/***********.pem;
>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
>       add_header X-Frame-Options "DENY";        ssl_ciphers
> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>
>
>
>
> - *Keycloak config* :
>
>
> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> *            <buffer-cache name="default"/>*
> *            <server name="default-server">*
>
> *                <http-listener
> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
> *                <https-listener name="https" security-realm="**********"
> socket-binding="https"/>*
> *                <host name="default-host" alias="localhost">*
> *                    <location name="/" handler="welcome-content"/>*
> *                </host>*
> *            </server>*
> *            <servlet-container name="default">*
> *                <jsp-config/>*
> *                <websockets/>*
> *            </servlet-container>*
> *            <handlers>*
> *                <file name="welcome-content"
> path="${jboss.home.dir}/welcome-content"/>*
> *            </handlers>*
> *        </subsystem>*
>
>
>
>
>
>
>
> The situation is that everything is working fine and smooth EXCEPT ... the
> fact that under sessions (and moreover for all user activities), the user
> IP I see is the one of the reverse proxy !!
> As I put in red in the KC config, this is what should do the trick to use
> the X-Forwarded-For header value to set the client's IP.
>
> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> ipAddress=2.2.2.2, (...)
>
>
>
> When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
> the SSL connection and the one to KC server is made in HTTP), I got
> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> transport and also a HTTP connection towards the external social identity
> providers like Google, FB, etc. ... BUT I got at least the real IP as you
> might see hereunder :
>
> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> ipAddress=191.21.133.234, (...)
>
>
>
>
>
> So the situation is that I will only get the "real" IP of the client only
> if it passes through the HTTP listener of KC (that has the parameter
> "proxy-address-forwarding") which is not what I want as I want to reach the
> HTTPS listener.
> I obviously also tried to add the same parameter (*proxy-address-forwarding
> = "true"*) in the HTTPS listener configuration but then, standalone.sh
> shows an error and refuses to start :
>
>
> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.5.1.Final*
> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> starting*
> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0055: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085:
> Failed to parse configuration*
> *    at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:131)*
> *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> *    at
> org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:299)*
> *    at java.lang.Thread.run(Thread.java:745)*
> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> [row,col]:[380,17]*
> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
> enabled, resolve-peer-address, security-realm, verify-client,
> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> ssl-session-cache-size, ssl-session-timeout, max-header-size,
> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> max-cookies, allow-encoded-slash, decode-url, url-charset,
> always-set-keep-alive, max-buffered-request-size,
> record-request-start-time, allow-equals-in-cookie-value,
> no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
> receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
> max-connections, secure'*
> *    at
> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(
> ParseUtils.java:128)*
>
>
>
>
>
> *requirements* :
>
> - Entire solution has to run with SSL (HTTPS) from end to end
>
>
>
> Did someone already faced that situation or does have any clue about this ?
> Thank you for reading this post.
>
> Regards,
>
>
> /Olivier
>
> On 10 January 2017 at 11:52, Olivier Bruylandt <
> olivier.bruylandt at gmail.com>
> wrote:
>
> > Dear,
> >
> >
> > I get an issue to get the wanted behavior when retrieving the client
> > public IP.
> > This is the situation :
> > (all IP's have been anonymized)
> >
> >
> >
> > - *infrastructure level*:
> >
> > ----------- Reverse Proxy NGINX -----------------------------------
> > KeyCloak
> >
> > RP is listening on ports 80 & 443 (80 is redirected to 443)
> > There is a public certificate signed by some external CA
> > Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> > Keycloak is set as standalone server on a Wildfly last version
> >
> >
> >
> >
> > - *Nginx config*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *server {        listen 443;        server_name ************;
> > fastcgi_param HTTPS on;        location / {                add_header
> > X-Cache-Status $upstream_cache_status;                add_header
> X-Real-IP
> >  $remote_addr;                add_header X-Forwarded-For $remote_addr;
> >           add_header X-Forwarded-Proto $scheme;
> > more_set_headers 'Server: ******';                more_clear_headers
> > 'X-Powered-By';                charset UTF-8;                proxy_cache
> >   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> > <https://1.1.1.1:8443/>;        }*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
> >              ssl_certificate_key /etc/ssl/private/*************.key;
> > ssl_prefer_server_ciphers on;        ssl_dhparam
> /etc/ssl/***********.pem;
> >       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> > ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> > Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
> >       add_header X-Frame-Options "DENY";        ssl_ciphers
> > 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
> >
> >
> >
> >
> > - *Keycloak config* :
> >
> >
> > *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> > *            <buffer-cache name="default"/>*
> > *            <server name="default-server">*
> >
> > *                <http-listener
> > name="default" proxy-address-forwarding="true" socket-binding="http"/>*
> > *                <https-listener name="https" security-realm="**********"
> > socket-binding="https"/>*
> > *                <host name="default-host" alias="localhost">*
> > *                    <location name="/" handler="welcome-content"/>*
> > *                </host>*
> > *            </server>*
> > *            <servlet-container name="default">*
> > *                <jsp-config/>*
> > *                <websockets/>*
> > *            </servlet-container>*
> > *            <handlers>*
> > *                <file name="welcome-content"
> > path="${jboss.home.dir}/welcome-content"/>*
> > *            </handlers>*
> > *        </subsystem>*
> >
> >
> >
> >
> >
> >
> >
> > The situation is that everything is working fine and smooth EXCEPT ...
> the
> > fact that under sessions (and moreover for all user activities), the user
> > IP I see is the one of the reverse proxy !!
> > As I put in red in the KC config, this is what should do the trick to use
> > the X-Forwarded-For header value to set the client's IP.
> >
> > 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> > type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> > ipAddress=2.2.2.2, (...)
> >
> >
> >
> > When I tried to reach KC on the 8080 (HTTP) listener (so the RP
> terminates
> > the SSL connection and the one to KC server is made in HTTP), I got
> > obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> > transport and also a HTTP connection towards the external social identity
> > providers like Google, FB, etc. ... BUT I got at least the real IP as you
> > might see hereunder :
> >
> > 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> > type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> > ipAddress=191.21.133.234, (...)
> >
> >
> >
> >
> >
> > So the situation is that I will only get the "real" IP of the client only
> > if it passes through the HTTP listener of KC (that has the parameter
> > "proxy-address-forwarding") which is not what I want as I want to reach
> the
> > HTTPS listener.
> > I obviously also tried to add the same parameter
> (*proxy-address-forwarding
> > = "true"*) in the HTTPS listener configuration but then, standalone.sh
> > shows an error and refuses to start :
> >
> >
> > *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> > 1.5.1.Final*
> > *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
> > *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> > thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> > starting*
> > *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> > WFLYSRV0055: Caught exception during boot:
> > org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085:
> > Failed to parse configuration*
> > *    at
> > org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:131)*
> > *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> > *    at
> > org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:299)*
> > *    at java.lang.Thread.run(Thread.java:745)*
> > *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> > [row,col]:[380,17]*
> > *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> > encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
> > enabled, resolve-peer-address, security-realm, verify-client,
> > enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> > ssl-session-cache-size, ssl-session-timeout, max-header-size,
> > max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> > max-cookies, allow-encoded-slash, decode-url, url-charset,
> > always-set-keep-alive, max-buffered-request-size,
> > record-request-start-time, allow-equals-in-cookie-value,
> > no-request-timeout, request-parse-timeout, disallowed-methods,
> tcp-backlog,
> > receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
> > max-connections, secure'*
> > *    at
> > org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(
> ParseUtils.java:128)*
> >
> >
> >
> >
> >
> > *requirements* :
> >
> > - Entire solution has to run with SSL (HTTPS) from end to end
> >
> >
> >
> > Did someone already faced that situation or does have any clue about
> this ?
> > Thank you for reading this post.
> >
> > Regards,
> >
> >
> > /Olivier
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list