<div dir="ltr">Did you add ProxyPeerAddressHandler filter? That's required for AJP connector, see <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding</a></div><div class="gmail_extra"><br><div class="gmail_quote">On 24 May 2016 at 11:48, Niels Bertram <span dir="ltr"><<a href="mailto:nielsbne@gmail.com" target="_blank">nielsbne@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am scratching my head with a specific setup problem which does not generate any usable error messages.<div><br></div><div>I am running a haproxy as load balancer in a vm in front an apache web server configured as reverse proxy connecting to the keycloak server via ajp in another VM.</div><div><br></div><div>client browser (192.168.33.1) </div><div> </div><div> login.vagrant.v8 (192.168.33.80) aka proxy.vagrant.v8 is haproxy adds X-Forwarded-For X-Forwarded-Port X-Forwarded-Proto and X-Real-Ip</div><div><br></div><div> kc01.vagrant.v8 (192.168.33.81) apache reverse proxies to wildfly on ajp port</div><div><br></div><div><br></div><div>Followed all the setup instructions in the documentation and if I connect to apache proxying through to keycloak everything works fine. All web resources are donwloaded fine however when I request a token exchange on <span style="font-family:monospace,monospace">/auth/realms/master/protocol/openid-connect/token</span> I get a 400 response. The kc server log shows the corect IP address of the originating client and the request dump from wildfly also shows the correct X-Forwarded-For header coming in. However the query string <span style="font-family:monospace,monospace">remoteAddr=/<a href="http://192.168.33.80:54672" target="_blank">192.168.33.80:54672</a> </span>which I believe is the one sent to the ajp connector shows some half valid IP address which is that of the load balancer. Did anyone come across this before? Looks like a bug of some sort.</div><div><br></div><div>The symptom is a endless loop trying to log into the admin panel.</div><div><br></div><div>Cheers</div><div>Niels</div><div><br></div><div><br></div><div><div><font face="monospace, monospace"># cat standalone/log/server.log | grep -A 58 '2016-05-24 09:19:27,672'</font></div><div><font face="monospace, monospace">2016-05-24 09:19:27,672 WARN [org.keycloak.events] (default task-19) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=admin, userId=null, ipAddress=<b><font color="#ff0000">192.168.33.1</font></b>, error=invalid_client_credentials, grant_type=authorization_code</font></div><div><font face="monospace, monospace">2016-05-24 09:19:27,673 INFO [io.undertow.request.dump] (default task-19)</font></div><div><font face="monospace, monospace">----------------------------REQUEST---------------------------</font></div><div><font face="monospace, monospace"> URI=/auth/realms/master/protocol/openid-connect/token</font></div><div><font face="monospace, monospace"> characterEncoding=null</font></div><div><font face="monospace, monospace"> contentLength=229</font></div><div><font face="monospace, monospace"> contentType=[application/x-www-form-urlencoded]</font></div><div><font face="monospace, monospace"> cookie=KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjM5YTVkNTlmLWMyNDYtNDkwZi04ZGZkLTZhYzVhNzgyZDI5ZCIsImNpZCI6InNlY3VyaXR5LWFkbWluLWNvbnNvbGUiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwczovL2xvZ2luLnZhZ3JhbnQudjgvYXV0aC9hZG1pbi9tYXN0ZXIvY29uc29sZS8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiOGQ5ZGI4MzctMjY2Ni00NDcxLTk0ZDgtZmFkMmIxMjA3NDQxIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHBzOi8vbG9naW4udmFncmFudC52OC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vbG9naW4udmFncmFudC52OC9hdXRoL2FkbWluL21hc3Rlci9jb25zb2xlLyIsInN0YXRlIjoiNTQ4ZDE5ZTUtMjlkMS00NTU2LWFjNjAtYjZjZTM1ZmJiMGU2Iiwibm9uY2UiOiI5OGY3NDFiYS03MmQwLTQ0ZDUtOGQ0ZC1jZTAxNzZhYjMyMmUiLCJyZXNwb25zZV9tb2RlIjoiZnJhZ21lbnQifX0.I0jI4nDhbYtKNrVjdlwjjBe5mtd0a8u6Dm7rQXwLE60</font></div><div><font face="monospace, monospace"> cookie=KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhNjY5OWJkOS00MWQ4LTQyNWYtYjE5Ni04Y2QzNmJiZjBmNjQiLCJleHAiOjE0NjQxMTc1NjcsIm5iZiI6MCwiaWF0IjoxNDY0MDgxNTY3LCJpc3MiOiJodHRwczovL2xvZ2luLnZhZ3JhbnQudjgvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiY2YyNDg4MTEtNmQ4Mi00N2U3LWJmOWEtN2IxOTdmYjk4OGQwIiwic2Vzc2lvbl9zdGF0ZSI6IjFiYTljODRlLTBlMzctNGE4Mi1hNDg0LWMyNWQyYzRhODBmYyIsInJlc291cmNlX2FjY2VzcyI6e319.E0vEe9XQJ_6IbDC_TEUfumQCJ0fS1_AOYsHh7svyGp16VC89sH9J1FQuLJfHYFVJlDTcE6o2ktLg0fLw2nLIdLOv-WXMseYr0KzudZveiLy1CZbRoPS9w9vlN-_EuXojiz0ORcyh90keUhqW5tMShccHvEaq_wpXOJQ6ITIglsgUXNhlSuEfpEcBy4CCqKQW98bRQiTKQOtoOfgc-Ez1RHR-7esTw-U22P_H-EMk23jI3nwuYGtqOn4Vvqb4-cHOzdyE_xaVWZxeteNKhU-RexfrMaHx1PSy3T796aY7gIljcqkxra-SA1dbOsRBawwlhJwFtojzBHEs1841gJ4bgg</font></div><div><font face="monospace, monospace"> cookie=KEYCLOAK_SESSION=master/cf248811-6d82-47e7-bf9a-7b197fb988d0/1ba9c84e-0e37-4a82-a484-c25d2c4a80fc</font></div><div><font face="monospace, monospace"> header=Accept=*/*</font></div><div><font face="monospace, monospace"> header=Accept-Language=en-US,en;q=0.8,de;q=0.6</font></div><div><font face="monospace, monospace"> header=Accept-Encoding=gzip, deflate</font></div><div><font face="monospace, monospace"> header=DNT=1</font></div><div><font face="monospace, monospace"> header=Origin=<a href="https://login.vagrant.v8" target="_blank">https://login.vagrant.v8</a></font></div><div><font face="monospace, monospace"> header=X-Original-To=192.168.33.80</font></div><div><font face="monospace, monospace"> header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36</font></div><div><span style="font-family:monospace,monospace"> header=X-Forwarded-Proto=https</span><br></div><div><font face="monospace, monospace"> header=X-Forwarded-Port=443</font></div><div><font face="monospace, monospace"> header=X-Forwarded-For=192.168.33.1</font></div><div><font face="monospace, monospace"> header=Content-Length=229</font></div><div><font face="monospace, monospace"> header=Content-Type=application/x-www-form-urlencoded</font></div><div><font face="monospace, monospace"> header=Cookie=KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjM5YTVkNTlmLWMyNDYtNDkwZi04ZGZkLTZhYzVhNzgyZDI5ZCIsImNpZCI6InNlY3VyaXR5LWFkbWluLWNvbnNvbGUiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwczovL2xvZ2luLnZhZ3JhbnQudjgvYXV0aC9hZG1pbi9tYXN0ZXIvY29uc29sZS8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiOGQ5ZGI4MzctMjY2Ni00NDcxLTk0ZDgtZmFkMmIxMjA3NDQxIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHBzOi8vbG9naW4udmFncmFudC52OC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vbG9naW4udmFncmFudC52OC9hdXRoL2FkbWluL21hc3Rlci9jb25zb2xlLyIsInN0YXRlIjoiNTQ4ZDE5ZTUtMjlkMS00NTU2LWFjNjAtYjZjZTM1ZmJiMGU2Iiwibm9uY2UiOiI5OGY3NDFiYS03MmQwLTQ0ZDUtOGQ0ZC1jZTAxNzZhYjMyMmUiLCJyZXNwb25zZV9tb2RlIjoiZnJhZ21lbnQifX0.I0jI4nDhbYtKNrVjdlwjjBe5mtd0a8u6Dm7rQXwLE60; KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhNjY5OWJkOS00MWQ4LTQyNWYtYjE5Ni04Y2QzNmJiZjBmNjQiLCJleHAiOjE0NjQxMTc1NjcsIm5iZiI6MCwiaWF0IjoxNDY0MDgxNTY3LCJpc3MiOiJodHRwczovL2xvZ2luLnZhZ3JhbnQudjgvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiY2YyNDg4MTEtNmQ4Mi00N2U3LWJmOWEtN2IxOTdmYjk4OGQwIiwic2Vzc2lvbl9zdGF0ZSI6IjFiYTljODRlLTBlMzctNGE4Mi1hNDg0LWMyNWQyYzRhODBmYyIsInJlc291cmNlX2FjY2VzcyI6e319.E0vEe9XQJ_6IbDC_TEUfumQCJ0fS1_AOYsHh7svyGp16VC89sH9J1FQuLJfHYFVJlDTcE6o2ktLg0fLw2nLIdLOv-WXMseYr0KzudZveiLy1CZbRoPS9w9vlN-_EuXojiz0ORcyh90keUhqW5tMShccHvEaq_wpXOJQ6ITIglsgUXNhlSuEfpEcBy4CCqKQW98bRQiTKQOtoOfgc-Ez1RHR-7esTw-U22P_H-EMk23jI3nwuYGtqOn4Vvqb4-cHOzdyE_xaVWZxeteNKhU-RexfrMaHx1PSy3T796aY7gIljcqkxra-SA1dbOsRBawwlhJwFtojzBHEs1841gJ4bgg; KEYCLOAK_SESSION=master/cf248811-6d82-47e7-bf9a-7b197fb988d0/1ba9c84e-0e37-4a82-a484-c25d2c4a80fc</font></div><div><font face="monospace, monospace"> header=Referer=<a href="https://login.vagrant.v8/auth/admin/master/console/" target="_blank">https://login.vagrant.v8/auth/admin/master/console/</a></font></div><div><font face="monospace, monospace"> header=Host=login.vagrant.v8</font></div><div><font face="monospace, monospace"> locale=[en_US, en, de]</font></div><div><font face="monospace, monospace"> method=POST</font></div><div><font face="monospace, monospace"> protocol=HTTP/1.1</font></div><div><font face="monospace, monospace"> queryString=</font></div><div><font face="monospace, monospace" color="#ff0000"><b> remoteAddr=/<a href="http://192.168.33.80:54672" target="_blank">192.168.33.80:54672</a></b></font></div><div><font face="monospace, monospace"> remoteHost=proxy.vagrant.v8</font></div><div><font face="monospace, monospace"> scheme=https</font></div><div><font face="monospace, monospace"> host=login.vagrant.v8</font></div><div><font face="monospace, monospace"> serverPort=443</font></div><div><font face="monospace, monospace">--------------------------RESPONSE--------------------------</font></div><div><font face="monospace, monospace"> contentLength=123</font></div><div><font face="monospace, monospace"> contentType=application/json</font></div><div><font face="monospace, monospace"> header=X-Powered-By=Undertow/1</font></div><div><font face="monospace, monospace"> header=Server=WildFly/10</font></div><div><font face="monospace, monospace"> header=Content-Type=application/json</font></div><div><font face="monospace, monospace"> header=Content-Length=123</font></div><div><font face="monospace, monospace"> header=Date=Tue, 24 May 2016 09:19:27 GMT</font></div><div><font face="monospace, monospace"> status=400</font></div></div><div><br></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>