[keycloak-user] Services behind a Proxy that offloads SSL
Michael Liebe
Michael.Liebe at ist.com
Tue Nov 28 08:14:24 EST 2017
Hi,
It seems that your application server doesn’t recognize the X-Forwarded-Proto header. I assume that your HA proxy already sends this header because Keycloak works correctly. Keycloak is aware of this header because you have set proxy-address-forwarding="true". You wrote that your service is running in a JBoss server which I’m not familiar with but I would expect that there is a similar configuration.
I hope this helps.
Michael
On 2017-11-28, 13:28, "keycloak-user-bounces at lists.jboss.org on behalf of Malte Finsterwalder" <keycloak-user-bounces at lists.jboss.org on behalf of inofi at gmx.net> wrote:
Thanks for this reference.
But it still doesn't solve my problem.
I see I need to describe a little more, what my setup is and what my
problem is.
We use HAProxy.
I have one URL for my keycloak, say: https://keycloak.x.org
I have another URL for my service, say: https://service.x.org
These URLs go to HAProxy, which offloads SSL and then directs traffic as
HTTP to the servers, which are run in a Kubernetes Cluster.
My keycloak.json file stored in the service is as follow:
{
"realm": "myrealm",
"auth-server-url": "https://keycloak.x.org/auth",
"ssl-required": "all",
"resource": "my-client",
"principal-attribute": "preferred_username",
"public-client": true,
"truststore" : "/truststore.jks",
"truststore-password" : "mytruststorepassword"
}
I open the service: "https://service.x.org/somepage" in my browser.
I get redirected to Keycloak for authentication with this URL:
https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=....&login=true&scope=openid
Keycloak is accessed via https, as stated in the keycloak.json file.
But as you can see, the embedded redirect_uri is http, not https.
After Keycloak authenticated the user, keycloak issues a redirect to
http://service.x.org/somepage and not https://service.x.org/somepage
So after authentication my service is access via http and not https anymore.
Keycloaks standalone.xml is configured as described in the setup for
Apache2 you sent me:
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener proxy-address-forwarding="true"
name="default"
socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server"
header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
....
<socket-binding name="https" port="${jboss.https.port:8443}"/>
....
</socket-binding-group>
Does that make things clearer?
What am I missing?!
Thanks for your help,
Malte
On 28 November 2017 at 11:07, Matthew Broadhead <
matthew.broadhead at nbmlaw.co.uk> wrote:
> which proxy are you using? this guide helped me proxy behind apache2
> http://markus.co/howto/2017/07/27/keycloak-apache.html
>
> On 28/11/2017 10:57, Malte Finsterwalder wrote:
> > Thanks for your help, but I can't find anything helpfull in the docs. I
> > scanned the complete documentation and read a lot of it.
> > Could you point me to a particular chapter?
> >
> > To clarify: I don't have a problem with Keycloak being behind a proxy,
> that
> > offloads SSL.
> >
> > I have a problem with the service being behind a proxy. The service
> itself
> > is access via HTTP, since SSL is offloaded on the Proxy.
> > The client adapter then creates a redirect URL as HTTP, not HTTPS and
> > passes that to Keycloak. So when Keycloak redirects back to the service,
> it
> > uses the HTTP URL provided by the client adapter, which is "wrong".
> >
> > Thanks,
> > Malte
> >
> > On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> >
> >> Read the docs. There's a section on how to configure Keycloak properly
> >> when you're using a reverse proxy
> >>
> >> On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.net>
> wrote:
> >>
> >>> Hi there,
> >>>
> >>> I have a service running in a JBoss server, that I want to secure via
> the
> >>> keycloak adapter.
> >>> The server is behind a proxy, that offloads SSL, so the server itself
> gets
> >>> traffic as http.
> >>> When the server redirects to keycloak for authentication, the redirect
> URL
> >>> supplied to keycloak is http, not https. How can I ensure, that a
> redirect
> >>> URL is an https URL?
> >>>
> >>> Greetings,
> >>> Malte
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list