[keycloak-user] admin/api interface ip restrictions

Jernej Porenta jernej.porenta at 3fs.si
Sat Aug 25 05:13:57 EDT 2018 

Hey,

maybe to add a bit of more info:
- keycloak installed with jboss/keycloak:4.0.0.Final image onto k8s using helm chart
- proxy mode engaged:
      /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
      /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
      /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)

I am really running out of ideas, what to change to get this running. I’ve tried without success:
- changing the format of undertow acl specification
- adding the proxy-peer-filter:
	/subsystem=undertow/configuration=filter/expression-filter=my-proxy-peer-address:add( expression="proxy-peer-address")
	/subsystem=undertow/server=default-server/host=default-host/filter-ref=my-proxy-peer-address:add()
- tried without ingress controller using `X-Forwarded-For` directly to keycloak pod

Any clues?

Thank you in advance,

br, Jernej

> On 24 Aug 2018, at 16:15, Jernej Porenta <jernej.porenta at 3fs.si> wrote:
> 
> Hey,
> 
> based on the documentation for IP restrictions (https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction), i’ve tried to set up a filter, which would allow accessing administrative interfaces only from specific IPs.
> 
> We have used the following commands:
> /subsystem=undertow/configuration=filter/expression-filter=ipAccess:add(,expression="path-prefix[/auth/admin] -> ip-access-control(acl={‘193.189.160.11/32 allow’})")
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=ipAccess:add()
> 
> But unfortunately, this has totally blocked our access to administrative interfaces.
> 
> We are running this setup in k8s behind Azure Application Gateway and k8s ingress nginx controller. Both proxies have been configured to add `X-Forwarded-For` headers, while we are still receving 403 error.
> 
> We have dig into the issue a bit more and we got a bit more information:
> - as it seems Keycloak sees the right IP when we try to login into fake realm
> 12:29:41,069 WARN  [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=master, clientId=account, userId=null, ipAddress=193.189.160.11, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://taurus1.siol.net/auth/realms/master/account/login-redirect, code_id=13e0eb84-852a-47b0-94e8-d469fb66219d, username=asdfasd
> 
> - but when we try to access admin console, we get 403. The requestDumper gives us this:
> ==============================================================
> 14:13:36,876 INFO  [io.undertow.request.dump] (default I/O-6)
> ----------------------------REQUEST---------------------------
>               URI=/auth/admin/
> characterEncoding=null
>     contentLength=-1
>       contentType=null
>            cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564
>            header=X-Real-IP=193.189.160.11
>            header=Cache-Control=max-age=0
>            header=Accept-Encoding=gzip, deflate, br
>            header=X-Request-ID=2eb23a96b4fba4324505c7c5df424c64
>            header=X-Original-Forwarded-For=193.189.160.11:58359
>            header=X-Scheme=https
>            header=Connection=close
>            header=X-Forwarded-Port=443
>            header=X-ORIGINAL-HOST=taurus1.siol.net
>            header=X-Forwarded-For=193.189.160.11
>            header=X-ARR-SSL=3072|256|C=FI, S=Jorvas, L=Jorvas, O=Ericsson, OU=IoT, CN=IoT, E=spam at ericsson.com|CN=dev.example.com, S=Stockholm, C=SE, O=Ericsson, OU=Development
>            header=Cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564
>            header=Host=taurus1.siol.net
>            header=X-Forwarded-Host=taurus1.siol.net
>            header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
>            header=Accept-Language=en-US,en;q=0.9
>            header=Max-Forwards=10
>            header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
>            header=SEC-WEBSOCKET-EXTENSIONS=
>            header=X-ARR-LOG-ID=5394f13f-d8a8-490b-9853-efd8e115e3a6
>            header=X-Forwarded-Proto=https
>            header=X-Original-URI=/auth/admin/
>            header=X-Original-URL=/auth/admin/
>            header=Upgrade-Insecure-Requests=1
>            locale=[en_US, en]
>            method=GET
>          protocol=HTTP/1.1
>       queryString=
>        remoteAddr=193.189.160.11:0
>        remoteHost=193.189.160.11
>            scheme=https
>              host=taurus1.siol.net
>        serverPort=443
> --------------------------RESPONSE--------------------------
>     contentLength=74
>       contentType=text/html
>            header=Connection=close
>            header=Content-Length=74
>            header=Content-Type=text/html
>            header=Date=Fri, 24 Aug 2018 14:13:36 GMT
>            status=403
> ==============================================================
> 
> Any clues, what are we doing wrong?
> 
> Thank you in advance, br, Jernej

More information about the keycloak-user mailing list