<div dir="ltr">The error '<span style="font-size:12.8px">org.apache.http.conn.</span><span style="font-size:12.8px">HttpHostConnectException: Connection to </span><a href="https://sso2.domain.com/" target="_blank" style="font-size:12.8px">https://sso2.domain.com</a><span style="font-size:12.8px"> refused' means that either there is a server side problem - your Nginx isn't started and listening on port 443, a firewall preventing incoming connections - or there is a client side problem - a DNS issue improperly resolving <a href="http://sso2.domain.com">sso2.domain.com</a> into IP on the host where Tomcat is running.</span><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">At this point no SSL handshaking was attempted yet.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If you try 'curl <a href="https://sso2.domain.com">https://sso2.domain.com</a>' or 'telnet <a href="http://sso2.domain.com">sso2.domain.com</a> 443' from the server running your Tomcat you'll see the same issue. Once that starts to work, only then will any SSL / proxying related configuration issues start to manifest themselves.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace <span dir="ltr"><<a href="mailto:cjwallac@gmail.com" target="_blank">cjwallac@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Community, I have spent a decent amount of time attempting to get KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It does work without the proxy, but I need the proxy to handle certificates. I think I am pretty close to having it working, but somethings seems to be missing... I have done the following. I appreciate any insight you may have as I think I have exhausted other resources. <div><b><br></b></div><div><b>1. Configure a server in NGINX</b></div><div>
<p><span>server {</span></p><p>listen 443;</p>
<p><span></span><br></p>
<p><span>ssl on;</span></p>
<p><span>ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt;</span></p>
<p><span>ssl_certificate_key /etc/ssl/certs/*.domain.key;</span></p>
<p><span></span><br></p>
<p><span>server_name sso2. <a href="http://domain.com" target="_blank">domain.com</a>;</span></p>
<p><span>access_log /var/log/nginx/nginx.sso.access.log;</span></p>
<p><span>error_log /var/log/nginx/nginx.sso.error.log;</span></p>
<p><span> location / {</span></p>
<p><span> proxy_set_header Host $host;</span></p>
<p><span> proxy_set_header X-Real-IP $remote_addr;</span></p>
<p><span> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</span></p>
<p><span> proxy_set_header X-Forwarded-Proto $scheme;</span></p>
<p><span> proxy_set_header X-Forwarded-Port 443;</span></p>
<p><span> proxy_pass <a href="http://internalip:8080" target="_blank">http://internalip:8080</a>;</span></p>
<p><span> }</span></p>
<p><span>}</span></p><p><b>2. Enable SSL on a Reverse Proxy</b></p><p><a style="color:rgb(51,51,51);font-family:'Lucida Grande',Geneva,Verdana,Arial,sans-serif;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:18px;text-align:justify;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">First add <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">proxy-address-forwarding</code> and <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">redirect-socket</code> to the <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">http-listener</code> element:</a></p><p></p><p><a style="color:rgb(51,51,51);font-family:'Lucida Grande',Geneva,Verdana,Arial,sans-serif;font-size:12px;line-height:18px;text-align:justify"></a></p><pre style="font-size:0.9em;font-family:courrier,monospace;display:block;color:rgb(51,51,51);overflow:auto;padding:5px 15px 5px 25px;border:1px solid rgb(204,204,204);background-color:rgb(245,245,245)"><subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem></pre><p>Then add a new <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">socket-binding</code> element to the <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">socket-binding-group</code> element:</p><p><a style="color:rgb(51,51,51);font-family:'Lucida Grande',Geneva,Verdana,Arial,sans-serif;font-size:12px;line-height:18px;text-align:justify"></a></p><pre style="font-size:0.9em;font-family:courrier,monospace;display:block;color:rgb(51,51,51);overflow:auto;padding:5px 15px 5px 25px;border:1px solid rgb(204,204,204);background-color:rgb(245,245,245)"><socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group></pre><p><b><br></b></p><p><b>RECIVE THE FOLLOWING ERROR in TOMCAT:</b></p><p><span>1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - failed to turn code into token </span></p><p><span>org.apache.http.conn.HttpHostConnectException: Connection to <a href="https://sso2.domain.com" target="_blank">https://sso2.domain.com</a> refused</span></p><p><span><span> </span>at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span> </span>at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span> </span>at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span> </span>at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span> </span>at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span> </span>at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span> </span>at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) [lib/:na]</span></p><p><span><span> </span>at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span> </span>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) [lib/:na]</span></p><p><span><span> </span>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [lib/:na]</span></p><p><span><span> </span>at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) [lib/:na]</span></p><p><span><span> </span>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [lib/:na]</span></p><p><span><span> </span>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) [lib/:na]</span></p><p><span><span> </span>at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span> </span>at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span> </span>at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span> </span>at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span> </span>at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span> </span>at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_25]</span></p><p><span><span> </span>at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_25]</span></p><p><span><span> </span>at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.18]</span></p><p><span><span> </span>at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]</span></p><p><span>Caused by: java.net.ConnectException: Connection timed out</span></p><p><span><span> </span>at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25]</span></p><p><span><span> </span>at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) ~[na:1.8.0_25]</span></p><p><span><span> </span>at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_25]</span></p><p><span><span> </span>at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_25]</span></p><p><span><span> </span>at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_25]</span></p><p><span><span> </span>at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]</span></p><p><span><span> </span>at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) ~[na:1.8.0_25]</span></p><p><span><span> </span>at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span> </span>at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p>
</p><p><span><span> </span>... 29 common frames omitted</span></p></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>