[keycloak-user] Reverse Proxy issue

Dmitry Telegin dt at acutus.pro
Mon Jul 2 04:58:20 EDT 2018 

Henning,

Could you please share your Apache mod_proxy related config directives?
Here's the config we're using:

ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"

ProxyPass /auth http://localhost:8080/auth
ProxyPassReverse /auth http://localhost:8080/auth

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-02 at 09:54 +0200, Henning Waack wrote:
> Hi.
> 
> Using KC 4.0.0 behind a Apache httpd proxy with SSL termination, I
> have the
> issue that KC is return redirect URIs with http instead of https.
> 
> I have configure KC standalone.xml as follows:
> 
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>             <buffer-cache name="default"/>
>             <server name="default-server">
>                 <!--<http-listener name="default" socket-
> binding="http"
> redirect-socket="https-proxy" proxy-address-forwarding="true"
> enable-http2="true"/>-->
>                 <http-listener name="default" socket-binding="http"
> redirect-socket="https-proxy" proxy-address-forwarding="true"/>
>                 <https-listener name="https" socket-binding="https"
> security-realm="ApplicationRealm" enable-http2="true"/>
>                 ....
> </subsystem>
> ...
> <socket-binding-group name="standard-sockets" default-
> interface="public"
> port-offset="${jboss.socket.binding.port-offset:0}">
>        ...
>         <socket-binding name="http" port="${jboss.http.port:8080}"/>
>         <socket-binding name="https"
> port="${jboss.https.port:8443}"/>
>         <socket-binding name="https-proxy" port="443"/>
> ...
> </socket-binding-group>
> 
> I have enabled the undertow request logging filter, thus seeing that
> the
> X-Forwarded-Proto, -For and Host headers are correctly set, but KC is
> still
> returning the wrong redirect location, using http instead of https:
> 
> 2018-07-02 09:31:06,785 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
> there
> was no code
> 2018-07-02 09:31:06,785 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
> redirecting to auth server
> 2018-07-02 09:31:06,786 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
> callback
> uri: https://nak.xxx.com/auskunftssystem/sso/login
> 2018-07-02 09:31:06,791 DEBUG
> [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationPr
> ocessingFilter]
> (default task-2) Auth outcome: NOT_ATTEMPTED
> 2018-07-02 09:31:06,792 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
> Sending
> redirect to login page:
> http://nak.xxx.com/auth/realms/NAK/protocol/openid-connect/auth?respo
> nse_type=code&client_id=auskunftssystem&redirect_uri=https%3A%2F%2Fna
> k.xxx.com%2Fauskunftssystem%2Fsso%2Flogin&state=f9a80dfd-df35-4893-
> 9009-513d4793c1d2&login=true&scope=openid
> 2018-07-02 09:31:06,796 DEBUG
> [org.springframework.security.web.context.HttpSessionSecurityContextR
> epository]
> (default task-2) SecurityContext is empty or contents are anonymous -
> context will not be stored in HttpSession.
> 2018-07-02 09:31:06,796 DEBUG
> [org.springframework.security.web.context.SecurityContextPersistenceF
> ilter]
> (default task-2) SecurityContextHolder now cleared, as request
> processing
> completed
> 2018-07-02 09:31:06,802 INFO  [io.undertow.request.dump] (default
> task-2)
> ----------------------------REQUEST---------------------------
>                URI=/auskunftssystem/sso/login
>  characterEncoding=null
>      contentLength=-1
>        contentType=null
>             cookie=JSESSIONID=zAbSKWq1wWtYZ1CBJ48iZ0s4Gfc42QHc6XKUv_V
> P.nak
> 
> cookie=OAuth_Token_Request_State=dacaf5e0-34fe-4efc-842f-405a3575a74f
> 
> header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*
> /*;q=0.8
>             header=Accept-Language=de,en-US;q=0.7,en;q=0.3
>             header=Accept-Encoding=gzip, deflate, br
>             header=DNT=1
>             header=X-Forwarded-Server=nak.xxx.com,
> p4FD27CDE.dip0.t-ipconnect.de
>             header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X
> 10.13;
> rv:60.0) Gecko/20100101 Firefox/60.0
>             header=Connection=Keep-Alive
>             header=X-Forwarded-Proto=https
>             header=X-Forwarded-For=21.32.236.47, 10.10.66.56
> 
> header=Cookie=OAuth_Token_Request_State=dacaf5e0-34fe-4efc-842f-
> 405a3575a74f;
> JSESSIONID=zAbSKWq1wWtYZ1CBJ48iZ0s4Gfc42QHc6XKUv_VP.nak
>             header=Upgrade-Insecure-Requests=1
>             header=Host=nak.xxx.com
>             header=X-Forwarded-Host=nak.xxx.com, nak.xxx.com
>             locale=[de, en_US, en]
>             method=GET
>           protocol=HTTP/1.1
>        queryString=
>         remoteAddr=87.167.236.47:0
>         remoteHost=87.167.236.47
>             scheme=https
>               host=nak.xxx.com
>         serverPort=0
> --------------------------RESPONSE--------------------------
>      contentLength=-1
>        contentType=null
> 
> cookie=OAuth_Token_Request_State=f9a80dfd-df35-4893-9009-
> 513d4793c1d2;
> domain=null; path=null
>             header=Expires=0
>             header=Cache-Control=no-cache, no-store, max-age=0,
> must-revalidate
> 
> header=Set-Cookie=OAuth_Token_Request_State=f9a80dfd-df35-4893-9009-
> 513d4793c1d2;
> secure; HttpOnly
>             header=X-XSS-Protection=1; mode=block
>             header=Pragma=no-cache
>             header=Location=
> http://nak.xxx.com/auth/realms/NAK/protocol/openid-connect/auth?respo
> nse_type=code&client_id=auskunftssystem&redirect_uri=https%3A%2F%2Fna
> k.xxx.com%2Fauskunftssystem%2Fsso%2Flogin&state=f9a80dfd-df35-4893-
> 9009-513d4793c1d2&login=true&scope=openid
>             header=X-Frame-Options=DENY
>             header=Date=Mon, 02 Jul 2018 07:31:06 GMT
>             header=Connection=keep-alive
>             header=X-Content-Type-Options=nosniff
>             header=Strict-Transport-Security=max-age=31536000 ;
> includeSubDomains
>             header=Transfer-Encoding=chunked
>             status=302
> ==============================================================
> 2018-07-02 09:31:07,643 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) new
> JtaTransactionWrapper
> 
> Any idea why KC is returning http instead of https? Am I still
> missing some
> header?
> 
> Thanks & greetings
> 
> Henning
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list