[keycloak-user] reverse proxy woes

Thomas Darimont thomas.darimont at googlemail.com
Wed Jul 5 05:39:36 EDT 2017 

... never mind - I missed the part in your email...

2017-07-05 11:38 GMT+02:00 Thomas Darimont <thomas.darimont at googlemail.com>:

> Hi Tim,
>
> did you specify proxy-address-forwarding="true" for the <http-listener>
> element in the undertow subsystem of you standalone(-ha).xml?
> https://keycloak.gitbooks.io/documentation/server_installation/topics/
> clustering/load-balancer.html
>
> Cheers,
> Thomas
>
> 2017-07-05 11:24 GMT+02:00 Tim Dudgeon <tdudgeon.ml at gmail.com>:
>
>> Hi All,
>>
>> I'm having a problem with running keycloak behind an nginx reverse proxy.
>>
>> I've had this running for some time now without problems, but have now
>> stood up a new system in a networking environment that I don't have much
>> control over, and for some reason things are not working.
>>
>> My nginx proxy forwarding looks like this:
>>
>>      location /auth/ {
>>          proxy_pass                http://keycloak:8080/auth/;
>>          proxy_set_header        Host $host;
>>          proxy_set_header        X-Real-IP $remote_addr;
>>          proxy_set_header        X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>>          proxy_set_header        X-Forwarded-Proto $scheme;
>>          proxy_redirect            off;
>>          proxy_connect_timeout    75s;
>>      }
>>
>> Similar for the app that is using keycloak for SSO (this is a tomcat
>> based servlet app).
>>
>> In my keycloak's standalone.xml the http-listener element has had
>> proxy-address-forwarding="true" added.
>> This has all been fine, but in this new environment its not working.
>>
>> I get the keycloak login prompt, and can login OK. But when I look in
>> the session in Keycloack the From IP address is 10.0.0.10 not the actual
>> IP address of the machine where the browser resides.
>>
>> And the app using Keycloak denies access with this exception in the logs:
>>
>> 05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4]
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to
>> turn code into token
>> java.net.ConnectException: Connection refused
>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>> at
>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
>> etImpl.java:350)
>> at
>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
>> ainSocketImpl.java:206)
>> at
>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
>> Impl.java:188)
>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>> at java.net.Socket.connect(Socket.java:589)
>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>> at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLS
>> ocketFactory.java:532)
>> at
>> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniS
>> SLSocketFactory.java:109)
>> at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLS
>> ocketFactory.java:409)
>> at
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.
>> openConnection(DefaultClientConnectionOperator.java:177)
>> at
>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
>> lEntry.java:144)
>> at
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
>> tractPooledConnAdapter.java:131)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.tryConnec
>> t(DefaultRequestDirector.java:611)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(D
>> efaultRequestDirector.java:446)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>> tractHttpClient.java:882)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:82)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:107)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:55)
>> at
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(
>> ServerRequest.java:107)
>> at
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
>> OAuthRequestAuthenticator.java:327)
>> at
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate
>> (OAuthRequestAuthenticator.java:273)
>> at
>> org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>> estAuthenticator.java:130)
>> at
>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa
>> lve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
>> at
>> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.auth
>> enticate(KeycloakAuthenticatorValve.java:48)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(A
>> uthenticatorBase.java:471)
>> at
>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa
>> lve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>> stValve.java:141)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>> rtValve.java:79)
>> at
>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>> tractAccessLogValve.java:616)
>> at
>> org.apache.catalina.authenticator.SingleSignOn.invoke(
>> SingleSignOn.java:240)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(Standard
>> EngineValve.java:88)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>> apter.java:521)
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(Abs
>> tractHttp11Processor.java:1096)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler
>> .process(AbstractProtocol.java:674)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>> (NioEndpoint.java:1500)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(
>> NioEndpoint.java:1456)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>> run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Can anyone shed any light on what might be wrong here?
>> Note this is using quite an old version of keycloak (2.1.0) though I
>> don't think this is the problem.
>>
>> Thanks
>>
>> Tim
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list