[keycloak-user] Services behind a Proxy that offloads SSL

Malte Finsterwalder inofi at gmx.net
Tue Nov 28 07:28:07 EST 2017 

Thanks for this reference.
But it still doesn't solve my problem.
I see I need to describe a little more, what my setup is and what my
problem is.

We use HAProxy.
I have one URL for my keycloak, say: https://keycloak.x.org
I have another URL for my service, say: https://service.x.org
These URLs go to HAProxy, which offloads SSL and then directs traffic as
HTTP to the servers, which are run in a Kubernetes Cluster.

My keycloak.json file stored in the service is as follow:

{

  "realm": "myrealm",
  "auth-server-url": "https://keycloak.x.org/auth",
  "ssl-required": "all",
  "resource": "my-client",
  "principal-attribute": "preferred_username",
  "public-client": true,
  "truststore" : "/truststore.jks",
  "truststore-password" : "mytruststorepassword"
}

I open the service: "https://service.x.org/somepage" in my browser.
I get redirected to Keycloak for authentication with this URL:
https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=....&login=true&scope=openid
Keycloak is accessed via https, as stated in the keycloak.json file.
But as you can see, the embedded redirect_uri is http, not https.
After Keycloak authenticated the user, keycloak issues a redirect to
http://service.x.org/somepage and not https://service.x.org/somepage
So after authentication my service is access via http and not https anymore.

Keycloaks standalone.xml is configured as described in the setup for
Apache2 you sent me:

        <subsystem xmlns="urn:jboss:domain:undertow:3.1">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener proxy-address-forwarding="true"
name="default"
                           socket-binding="http"
                           redirect-socket="https"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
                <response-header name="server-header" header-name="Server"
header-value="JBoss-EAP/7"/>
                <response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
            </filters>
        </subsystem>


    <socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
        ....
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        ....
    </socket-binding-group>

Does that make things clearer?

What am I missing?!

Thanks for your help,
   Malte

On 28 November 2017 at 11:07, Matthew Broadhead <
matthew.broadhead at nbmlaw.co.uk> wrote:

> which proxy are you using?  this guide helped me proxy behind apache2
> http://markus.co/howto/2017/07/27/keycloak-apache.html
>
> On 28/11/2017 10:57, Malte Finsterwalder wrote:
> > Thanks for your help, but I can't find anything helpfull in the docs. I
> > scanned the complete documentation and read a lot of it.
> > Could you point me to a particular chapter?
> >
> > To clarify: I don't have a problem with Keycloak being behind a proxy,
> that
> > offloads SSL.
> >
> > I have a problem with the service being behind a proxy. The service
> itself
> > is access via HTTP, since SSL is offloaded on the Proxy.
> > The client adapter then creates a redirect URL as HTTP, not HTTPS and
> > passes that to Keycloak. So when Keycloak redirects back to the service,
> it
> > uses the HTTP URL provided by the client adapter, which is "wrong".
> >
> > Thanks,
> >     Malte
> >
> > On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> >
> >> Read the docs. There's a section on how to configure Keycloak properly
> >> when you're using a reverse proxy
> >>
> >> On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.net>
> wrote:
> >>
> >>> Hi there,
> >>>
> >>> I have a service running in a JBoss server, that I want to secure via
> the
> >>> keycloak adapter.
> >>> The server is behind a proxy, that offloads SSL, so the server itself
> gets
> >>> traffic as http.
> >>> When the server redirects to keycloak for authentication, the redirect
> URL
> >>> supplied to keycloak is http, not https. How can I ensure, that a
> redirect
> >>> URL is an https URL?
> >>>
> >>> Greetings,
> >>>     Malte
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list