[keycloak-user] admin/api interface ip restrictions
Jernej Porenta
jernej.porenta at 3fs.si
Fri Aug 24 10:15:29 EDT 2018
Hey,
based on the documentation for IP restrictions (https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction), i’ve tried to set up a filter, which would allow accessing administrative interfaces only from specific IPs.
We have used the following commands:
/subsystem=undertow/configuration=filter/expression-filter=ipAccess:add(,expression="path-prefix[/auth/admin] -> ip-access-control(acl={‘193.189.160.11/32 allow’})")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=ipAccess:add()
But unfortunately, this has totally blocked our access to administrative interfaces.
We are running this setup in k8s behind Azure Application Gateway and k8s ingress nginx controller. Both proxies have been configured to add `X-Forwarded-For` headers, while we are still receving 403 error.
We have dig into the issue a bit more and we got a bit more information:
- as it seems Keycloak sees the right IP when we try to login into fake realm
12:29:41,069 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=master, clientId=account, userId=null, ipAddress=193.189.160.11, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://taurus1.siol.net/auth/realms/master/account/login-redirect, code_id=13e0eb84-852a-47b0-94e8-d469fb66219d, username=asdfasd
- but when we try to access admin console, we get 403. The requestDumper gives us this:
==============================================================
14:13:36,876 INFO [io.undertow.request.dump] (default I/O-6)
----------------------------REQUEST---------------------------
URI=/auth/admin/
characterEncoding=null
contentLength=-1
contentType=null
cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564
header=X-Real-IP=193.189.160.11
header=Cache-Control=max-age=0
header=Accept-Encoding=gzip, deflate, br
header=X-Request-ID=2eb23a96b4fba4324505c7c5df424c64
header=X-Original-Forwarded-For=193.189.160.11:58359
header=X-Scheme=https
header=Connection=close
header=X-Forwarded-Port=443
header=X-ORIGINAL-HOST=taurus1.siol.net
header=X-Forwarded-For=193.189.160.11
header=X-ARR-SSL=3072|256|C=FI, S=Jorvas, L=Jorvas, O=Ericsson, OU=IoT, CN=IoT, E=spam at ericsson.com|CN=dev.example.com, S=Stockholm, C=SE, O=Ericsson, OU=Development
header=Cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564
header=Host=taurus1.siol.net
header=X-Forwarded-Host=taurus1.siol.net
header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
header=Accept-Language=en-US,en;q=0.9
header=Max-Forwards=10
header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
header=SEC-WEBSOCKET-EXTENSIONS=
header=X-ARR-LOG-ID=5394f13f-d8a8-490b-9853-efd8e115e3a6
header=X-Forwarded-Proto=https
header=X-Original-URI=/auth/admin/
header=X-Original-URL=/auth/admin/
header=Upgrade-Insecure-Requests=1
locale=[en_US, en]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=193.189.160.11:0
remoteHost=193.189.160.11
scheme=https
host=taurus1.siol.net
serverPort=443
--------------------------RESPONSE--------------------------
contentLength=74
contentType=text/html
header=Connection=close
header=Content-Length=74
header=Content-Type=text/html
header=Date=Fri, 24 Aug 2018 14:13:36 GMT
status=403
==============================================================
Any clues, what are we doing wrong?
Thank you in advance, br, Jernej
More information about the keycloak-user
mailing list