[keycloak-user] reverse proxy woes
Thomas Darimont
thomas.darimont at googlemail.com
Wed Jul 5 05:38:21 EDT 2017
Hi Tim,
did you specify proxy-address-forwarding="true" for the <http-listener>
element in the undertow subsystem of you standalone(-ha).xml?
https://keycloak.gitbooks.io/documentation/server_installation/topics/clustering/load-balancer.html
Cheers,
Thomas
2017-07-05 11:24 GMT+02:00 Tim Dudgeon <tdudgeon.ml at gmail.com>:
> Hi All,
>
> I'm having a problem with running keycloak behind an nginx reverse proxy.
>
> I've had this running for some time now without problems, but have now
> stood up a new system in a networking environment that I don't have much
> control over, and for some reason things are not working.
>
> My nginx proxy forwarding looks like this:
>
> location /auth/ {
> proxy_pass http://keycloak:8080/auth/;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_redirect off;
> proxy_connect_timeout 75s;
> }
>
> Similar for the app that is using keycloak for SSO (this is a tomcat
> based servlet app).
>
> In my keycloak's standalone.xml the http-listener element has had
> proxy-address-forwarding="true" added.
> This has all been fine, but in this new environment its not working.
>
> I get the keycloak login prompt, and can login OK. But when I look in
> the session in Keycloack the From IP address is 10.0.0.10 not the actual
> IP address of the machine where the browser resides.
>
> And the app using Keycloak denies access with this exception in the logs:
>
> 05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4]
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to
> turn code into token
> java.net.ConnectException: Connection refused
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:
> 350)
> at
> java.net.AbstractPlainSocketImpl.connectToAddress(
> AbstractPlainSocketImpl.java:206)
> at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> at java.net.Socket.connect(Socket.java:589)
> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(
> SSLSocketFactory.java:532)
> at
> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(
> SniSSLSocketFactory.java:109)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(
> SSLSocketFactory.java:409)
> at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(
> DefaultClientConnectionOperator.java:177)
> at
> org.apache.http.impl.conn.AbstractPoolEntry.open(
> AbstractPoolEntry.java:144)
> at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(
> AbstractPooledConnAdapter.java:131)
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(
> DefaultRequestDirector.java:611)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(
> DefaultRequestDirector.java:446)
> at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(
> AbstractHttpClient.java:882)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(
> CloseableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(
> CloseableHttpClient.java:107)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(
> CloseableHttpClient.java:55)
> at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(
> ServerRequest.java:107)
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
> OAuthRequestAuthenticator.java:327)
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(
> OAuthRequestAuthenticator.java:273)
> at
> org.keycloak.adapters.RequestAuthenticator.authenticate(
> RequestAuthenticator.java:130)
> at
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV
> alve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
> at
> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(
> KeycloakAuthenticatorValve.java:48)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(
> AuthenticatorBase.java:471)
> at
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(
> AbstractKeycloakAuthenticatorValve.java:187)
> at
> org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:141)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:79)
> at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(
> AbstractAccessLogValve.java:616)
> at
> org.apache.catalina.authenticator.SingleSignOn.
> invoke(SingleSignOn.java:240)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:88)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:521)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(
> AbstractHttp11Processor.java:1096)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
> process(AbstractProtocol.java:674)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
> doRun(NioEndpoint.java:1500)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
> run(NioEndpoint.java:1456)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
>
> Can anyone shed any light on what might be wrong here?
> Note this is using quite an old version of keycloak (2.1.0) though I
> don't think this is the problem.
>
> Thanks
>
> Tim
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list