[keycloak-user] admin/api interface ip restrictions
Jernej Porenta
jernej.porenta at 3fs.si
Sat Aug 25 05:13:57 EDT 2018
Hey,
maybe to add a bit of more info:
- keycloak installed with jboss/keycloak:4.0.0.Final image onto k8s using helm chart
- proxy mode engaged:
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)
I am really running out of ideas, what to change to get this running. I’ve tried without success:
- changing the format of undertow acl specification
- adding the proxy-peer-filter:
/subsystem=undertow/configuration=filter/expression-filter=my-proxy-peer-address:add( expression="proxy-peer-address")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=my-proxy-peer-address:add()
- tried without ingress controller using `X-Forwarded-For` directly to keycloak pod
Any clues?
Thank you in advance,
br, Jernej
> On 24 Aug 2018, at 16:15, Jernej Porenta <jernej.porenta at 3fs.si> wrote:
>
> Hey,
>
> based on the documentation for IP restrictions (https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction), i’ve tried to set up a filter, which would allow accessing administrative interfaces only from specific IPs.
>
> We have used the following commands:
> /subsystem=undertow/configuration=filter/expression-filter=ipAccess:add(,expression="path-prefix[/auth/admin] -> ip-access-control(acl={‘193.189.160.11/32 allow’})")
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=ipAccess:add()
>
> But unfortunately, this has totally blocked our access to administrative interfaces.
>
> We are running this setup in k8s behind Azure Application Gateway and k8s ingress nginx controller. Both proxies have been configured to add `X-Forwarded-For` headers, while we are still receving 403 error.
>
> We have dig into the issue a bit more and we got a bit more information:
> - as it seems Keycloak sees the right IP when we try to login into fake realm
> 12:29:41,069 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=master, clientId=account, userId=null, ipAddress=193.189.160.11, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://taurus1.siol.net/auth/realms/master/account/login-redirect, code_id=13e0eb84-852a-47b0-94e8-d469fb66219d, username=asdfasd
>
> - but when we try to access admin console, we get 403. The requestDumper gives us this:
> ==============================================================
> 14:13:36,876 INFO [io.undertow.request.dump] (default I/O-6)
> ----------------------------REQUEST---------------------------
> URI=/auth/admin/
> characterEncoding=null
> contentLength=-1
> contentType=null
> cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564
> header=X-Real-IP=193.189.160.11
> header=Cache-Control=max-age=0
> header=Accept-Encoding=gzip, deflate, br
> header=X-Request-ID=2eb23a96b4fba4324505c7c5df424c64
> header=X-Original-Forwarded-For=193.189.160.11:58359
> header=X-Scheme=https
> header=Connection=close
> header=X-Forwarded-Port=443
> header=X-ORIGINAL-HOST=taurus1.siol.net
> header=X-Forwarded-For=193.189.160.11
> header=X-ARR-SSL=3072|256|C=FI, S=Jorvas, L=Jorvas, O=Ericsson, OU=IoT, CN=IoT, E=spam at ericsson.com|CN=dev.example.com, S=Stockholm, C=SE, O=Ericsson, OU=Development
> header=Cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564
> header=Host=taurus1.siol.net
> header=X-Forwarded-Host=taurus1.siol.net
> header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
> header=Accept-Language=en-US,en;q=0.9
> header=Max-Forwards=10
> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
> header=SEC-WEBSOCKET-EXTENSIONS=
> header=X-ARR-LOG-ID=5394f13f-d8a8-490b-9853-efd8e115e3a6
> header=X-Forwarded-Proto=https
> header=X-Original-URI=/auth/admin/
> header=X-Original-URL=/auth/admin/
> header=Upgrade-Insecure-Requests=1
> locale=[en_US, en]
> method=GET
> protocol=HTTP/1.1
> queryString=
> remoteAddr=193.189.160.11:0
> remoteHost=193.189.160.11
> scheme=https
> host=taurus1.siol.net
> serverPort=443
> --------------------------RESPONSE--------------------------
> contentLength=74
> contentType=text/html
> header=Connection=close
> header=Content-Length=74
> header=Content-Type=text/html
> header=Date=Fri, 24 Aug 2018 14:13:36 GMT
> status=403
> ==============================================================
>
> Any clues, what are we doing wrong?
>
> Thank you in advance, br, Jernej
More information about the keycloak-user
mailing list