[keycloak-user] Services behind a Proxy that offloads SSL
Matthew Broadhead
matthew.broadhead at nbmlaw.co.uk
Tue Nov 28 07:36:56 EST 2017
section 1.5 of the article configures undertow in keycloak to proxy https
section 2.3 of the article shows how configure httpd to reverse proxy
using forwarded port and protocol 443
i suspect your problem is to configure HAProxy to do the part in 2.3 -
setting X-Forwarded-* headers
On 28/11/2017 13:28, Malte Finsterwalder wrote:
> Thanks for this reference.
> But it still doesn't solve my problem.
> I see I need to describe a little more, what my setup is and what my
> problem is.
>
> We use HAProxy.
> I have one URL for my keycloak, say: https://keycloak.x.org
> I have another URL for my service, say: https://service.x.org
> These URLs go to HAProxy, which offloads SSL and then directs traffic
> as HTTP to the servers, which are run in a Kubernetes Cluster.
>
> My keycloak.json file stored in the service is as follow:
>
> {
> "realm":"myrealm",
> "auth-server-url":"https://keycloak.x.org/auth",
> "ssl-required":"all",
> "resource":"my-client",
> "principal-attribute":"preferred_username",
> "public-client":true,
> "truststore" :"/truststore.jks",
> "truststore-password" :"mytruststorepassword" }
> I open the service: "https://service.x.org/somepage" in my browser.
> I get redirected to Keycloak for authentication with this URL:
> https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=....&login=true&scope=openid
> Keycloak is accessed via https, as stated in the keycloak.json file.
> But as you can see, the embedded redirect_uri is http, not https.
> After Keycloak authenticated the user, keycloak issues a redirect to
> http://service.x.org/somepage and not https://service.x.org/somepage
> So after authentication my service is access via http and not https
> anymore.
>
> Keycloaks standalone.xml is configured as described in the setup for
> Apache2 you sent me:
>
> <subsystem xmlns="urn:jboss:domain:undertow:3.1">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener proxy-address-forwarding="true"
> name="default"
> socket-binding="http"
> redirect-socket="https"/>
> <host name="default-host" alias="localhost">
> <location name="/" handler="welcome-content"/>
> <filter-ref name="server-header"/>
> <filter-ref name="x-powered-by-header"/>
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config/>
> <websockets/>
> </servlet-container>
> <handlers>
> <file name="welcome-content"
> path="${jboss.home.dir}/welcome-content"/>
> </handlers>
> <filters>
> <response-header name="server-header"
> header-name="Server" header-value="JBoss-EAP/7"/>
> <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Undertow/1"/>
> </filters>
> </subsystem>
>
>
> <socket-binding-group name="standard-sockets"
> default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:0}">
> ....
> <socket-binding name="https" port="${jboss.https.port:8443}"/>
> ....
> </socket-binding-group>
>
> Does that make things clearer?
>
> What am I missing?!
>
> Thanks for your help,
> Malte
>
> On 28 November 2017 at 11:07, Matthew Broadhead
> <matthew.broadhead at nbmlaw.co.uk
> <mailto:matthew.broadhead at nbmlaw.co.uk>> wrote:
>
> which proxy are you using? this guide helped me proxy behind apache2
> http://markus.co/howto/2017/07/27/keycloak-apache.html
> <http://markus.co/howto/2017/07/27/keycloak-apache.html>
>
> On 28/11/2017 10:57, Malte Finsterwalder wrote:
> > Thanks for your help, but I can't find anything helpfull in the
> docs. I
> > scanned the complete documentation and read a lot of it.
> > Could you point me to a particular chapter?
> >
> > To clarify: I don't have a problem with Keycloak being behind a
> proxy, that
> > offloads SSL.
> >
> > I have a problem with the service being behind a proxy. The
> service itself
> > is access via HTTP, since SSL is offloaded on the Proxy.
> > The client adapter then creates a redirect URL as HTTP, not
> HTTPS and
> > passes that to Keycloak. So when Keycloak redirects back to the
> service, it
> > uses the HTTP URL provided by the client adapter, which is "wrong".
> >
> > Thanks,
> > Malte
> >
> > On 27 November 2017 at 20:26, Stian Thorgersen
> <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
> >
> >> Read the docs. There's a section on how to configure Keycloak
> properly
> >> when you're using a reverse proxy
> >>
> >> On 27 November 2017 at 17:31, Malte Finsterwalder
> <inofi at gmx.net <mailto:inofi at gmx.net>> wrote:
> >>
> >>> Hi there,
> >>>
> >>> I have a service running in a JBoss server, that I want to
> secure via the
> >>> keycloak adapter.
> >>> The server is behind a proxy, that offloads SSL, so the server
> itself gets
> >>> traffic as http.
> >>> When the server redirects to keycloak for authentication, the
> redirect URL
> >>> supplied to keycloak is http, not https. How can I ensure,
> that a redirect
> >>> URL is an https URL?
> >>>
> >>> Greetings,
> >>> Malte
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >>>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
More information about the keycloak-user
mailing list