[keycloak-user] Keycloak & SSL - incorrect urls

John Bartko john.bartko at drillinginfo.com
Tue May 23 11:17:08 EDT 2017


>From https://keycloak.gitbooks.io/documentation/server_installation/topics/clustering/load-balancer.html

On the Keycloak side:


/socket-binding-group=standard-sockets/socket-binding=proxy-https/:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)

On the LB side:

- Must set X-Forwarded-For
- Must set X-Forwarded-Proto
- Must preserve Host header

AWS ELB/ALBs should do all of the above out of the box.

To verify from behind the LB, curl an endpoint that renders URIs (like OIDC config, or SAML descriptor):

curl -s -H 'Host: keycloak.example.org' -H 'X-Forwarded-For: 10.0.100.42' -H 'X-Forwarded-Proto: https' $(hostname -I | cut -f 1 -d ' '):8080/auth/realms/master/.well-known/openid-configuration | jq .issuer
"https://keycloak.example.org/auth/realms/master"

The URI should be rendered correctly. If access logging is enabled in the environment, the log entry should have recorded the request as coming from the IP listed in the X-Forwarded-For header.


Hope that helps,

-John Bartko

________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of John D. Ament <john.d.ament at gmail.com>
Sent: Tuesday, May 23, 2017 6:49:07 AM
To: keycloak-user
Subject: [keycloak-user] Keycloak & SSL - incorrect urls

Hi,

I have keycloak deployed behind an ELB and nginx, so its going ELB -> NGINX
-> KEYCLOAK.  We do SSL termination at the ELB, so that the requests to
nginx and keycloak are actually HTTP calls.  We've noticed that the
endpoint descriptors page (which provides an importable XML for a SAML
descriptor) is using HTTP urls, even though the public URL is an HTTPS url
(e.g. https://keycloak.mycompany.com)

Is there a configuration setting that would force keycloak to render HTTPS
urls?

John
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list