[keycloak-user] problem with nginx reverse proxy and ip access control

Derek Gibson derek.gibson at cimenviro.com
Fri Sep 21 03:55:12 EDT 2018 

Hi Jernej,

Thanks for the reply. I've gone through pretty much the same iterations. I've also tried manipulating the X-Forwarded-For as you mentioned and it doesnt help either.

In our case we are using Amazon ECS to host Keycloak behind an external facing ALB. I want to be able to restrict the admin console to internal only addresses, so I have an nginx container to reverse-proxy admin requests to keycloak. No matter what configuration I try, I cannot get it to work.

Would be open to any other suggestions

Thanks
Derek


> On 19 Sep 2018, at 13:22, Jernej Porenta <jernej.porenta at 3fs.si> wrote:
> 
> Hey Derek,
> 
> I had the exact same issue and tried multiple options:
> - inverted undertow ip-access-control rule
> - turning the nobs by proxy-address-forwarding mangling (changing headers etc.)
> - checking out the client IP by request logging (which were right in the keycloak logs)
> - multiple ways of specifying the rules within undertow (based on RH documentation)
> 
> None of them worked.
> 
> In the end, i implemented that at nginx level. It isn’t the most beautiful solution (k8s nginx ingress), but it is working as expected.
> 
> The only one, which I hadn’t tried at that time, is that maybe X-Forwarded-For header included multiple IPs (X-Forwarded-For: 1.2.3.4 5.6.7.8). You can test that by stripping them and add only original one with nginx.
> 
> br, Jernej
> 
>> On 19 Sep 2018, at 12:18, Derek Gibson <derek.gibson at cimenviro.com <mailto:derek.gibson at cimenviro.com>> wrote:
>> 
>> Hi there,
>> 
>> I'm having a hard time trying to get ip restriction working behind an nginx reverse proxy on Keycloak 4.3
>> 
>> 
>> I have configured an ip filter as per https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction <https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction><https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction <https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction>>
>> 
>> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>>   <buffer-cache name="default"/>
>>   <server name="default-server">
>>       <ajp-listener name="ajp" socket-binding="ajp"/>
>>       <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
>>       <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" proxy-address-forwarding="true" enable-http2="true"/>
>>       <host name="default-host" alias="localhost">
>>           <location name="/" handler="welcome-content"/>
>>           <http-invoker security-realm="ApplicationRealm"/>
>>           <filter-ref name="ipAccess"/>
>>       </host>
>>   </server>
>>   <filters>
>>       <expression-filter name="ipAccess" expression="path-prefix('/auth/admin') -> ip-access-control(acl={'10.10.10.10 allow'})"/>
>>   </filters>
>>   <servlet-container name="default">
>>       <jsp-config/>
>>       <websockets/>
>>   </servlet-container>
>>   <handlers>
>>       <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
>>   </handlers>
>> </subsystem>
>> 
>> and my nginx server block
>> 
>> server {
>>   listen        443 ssl;
>>   server_name    keycloak.example.com <http://keycloak.example.com/> <http://keycloak.example.com/ <http://keycloak.example.com/>>;
>>   location / {
>>       proxy_set_header Host               $host;
>>       proxy_set_header X-Real-IP          $remote_addr;
>>       proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
>>       proxy_set_header X-Forwarded-Proto  $scheme;
>>       proxy_pass https://keycloak-prx.example.com <https://keycloak-prx.example.com/> <https://keycloak-prx.example.com/ <https://keycloak-prx.example.com/>>;
>>   }
>> }
>> 
>> This works as intended when I request it directly, however when I try to access via nginx reverse proxy I get a 403 regardless of the ip I set in the ip-access-control filter, whether I have the host ip, or the proxy or gateway.
>> 
>> Undertow debug shows that the correct ip's (as far as I understand that it should be) are being passed by nginx
>> 
>> 10:03:29,564 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth for path /auth/
>> 10:03:29,565 DEBUG [io.undertow.request.security] (default task-3) Authentication result was ATTEMPTED for HttpServerExchange{ GET /auth/ request {X-Real-IP=[10.10.10.20], accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], X-Amzn-Trace-Id=[Root=1-5b9b8771-70fa72df4ef4bf816434fcc5], accept-language=[en-US,en;q=0.9], accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36], Connection=[close], X-Forwarded-Proto=[https], X-Forwarded-Port=[443], X-Forwarded-For=[10.10.10.10, 10.10.10.20], cookie=[_ga=GA1.2.1510178336.1525250562; ajs_user_id=%22ca89cde3-6cac-4197-a5ad-aa966295c66d%22; ajs_anonymous_id=%2228cb540a-cb21-4200-a531-64b11ef909d8%22; ajs_group_id=%22customer%3A1%22], upgrade-insecure-requests=[1], Host=[keycloak.example.com <http://keycloak.example.com/> <http://keycloak.example.com/ <http://keycloak.example.com/>>]} response {}}
>> 
>> but I do not get any debug logs for matches for /auth/admin, I only get an entry
>> 
>> 09:42:47,387 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth/admin for path /auth/admin/
>> 
>> and no subsequent security logs for that request 
>> 
>> Have I misconfigured something or could this be a bug?
>> Is there any steps that I can take to debug this further?
>> 
>> my debug settings are 
>> <subsystem xmlns="urn:jboss:domain:logging:3.0">
>>   <console-handler name="CONSOLE">
>>       <level name="DEBUG"/>
>>       <formatter>
>>           <named-formatter name="COLOR-PATTERN"/>
>>       </formatter>
>>   </console-handler>
>>   ...
>>   <logger category="io.undertow">
>>       <level name="DEBUG"/>
>>   </logger>
>>   ...
>> </subsystem>
>> all else is INFO
>> 
>> Would really appreciate any help at all on this
>> thanks
>> Derek
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

More information about the keycloak-user mailing list