<div dir="ltr">You need the Host and X-Forwarded-For headers to be included and there's also some config to be done on the Keycloak server (see <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding</a>)</div><div class="gmail_extra"><br><div class="gmail_quote">On 24 May 2016 at 08:46, Aritz Maeztu <span dir="ltr"><<a href="mailto:amaeztu@tesicnor.com" target="_blank">amaeztu@tesicnor.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Niels and Scott. First of all, thank you very much for your
help. I'm currently using Zuul (Spring Cloud) as the reverse
proxy. All the services are registered in a discovery service
called Eureka and then Zuul looks for the service id there and
performs de redirection. I read about <font face="monospace,
monospace">X-Forwarded headers, but I thought it might result in
a security issue if not included, not that it could affect the
redirection process. <br>
</font></p>
<p><font face="monospace, monospace">As Scott says, I suppose the
Host and the X-Real-Ip headers are the relevant ones here, so I
guess I should instruct Zuul to send them when the service is
addressed (however I wonder why they are not already being sent,
as Zuul is a proxy service, all in all).</font></p>
Here I include a preview of the first redirection made to the
keycloak login page, which shows the request headers sent to the
service /login endpoint (at port 8081 in localhost):<br>
<br>
<a href="https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0" target="_blank">https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0</a><br>
<br>
<div>24/05/2016 2:08(e)an, Niels Bertram
igorleak idatzi zuen:<br>
</div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi Artitz,
<div><br>
</div>
<div>a great way to figure out what is sent from the reverse
proxy to your keycloak server is to use the undertow request
dumper.
<div><br>
</div>
<div>From the jboss-cli just add the request dumper filter to
your undertow configuration like this:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">$KC_HOME/bin/jbpss-cli.sh
-c</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/:reload</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">given your
apache config looks something like this:</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"> ProxyRequests Off</font></div>
<div><font face="monospace, monospace"> ProxyPreserveHost
On</font></div>
<div><font face="monospace, monospace"> ProxyVia On</font></div>
<div><br>
</div>
<div><font face="monospace, monospace"> ProxyPass /auth
ajp://<a href="http://127.0.0.1:8009/auth" target="_blank">127.0.0.1:8009/auth</a></font></div>
<div><font face="monospace, monospace"> ProxyPassReverse
/auth ajp://<a href="http://127.0.0.1:8009/auth" target="_blank">127.0.0.1:8009/auth</a></font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">you should
see something like that (forwared info is somewhat
rubbish in this example as I am running the hosts on
Virtualbox - but you can see this request was put
through 2 proxies from local pc 192.168.33.1 to haproxy
on 192.168.33.80 and then apache reverse proxy on
192.168.33.81 ):</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="monospace, monospace">==============================================================</font></div>
<div><font face="monospace, monospace">23:47:20,563 INFO
[io.undertow.request.dump] (default task-14)</font></div>
<div><font face="monospace, monospace">----------------------------REQUEST---------------------------</font></div>
<div><font face="monospace, monospace">
URI=/auth/welcome-content/favicon.ico</font></div>
<div><font face="monospace, monospace"> characterEncoding=null</font></div>
<div><font face="monospace, monospace"> contentLength=-1</font></div>
<div><font face="monospace, monospace">
contentType=null</font></div>
<div><font face="monospace, monospace">
header=Accept=*/*</font></div>
<div><font face="monospace, monospace">
header=Accept-Language=en-US,en;q=0.8,de;q=0.6</font></div>
<div><font face="monospace, monospace">
header=Cache-Control=no-cache</font></div>
<div><font face="monospace, monospace">
header=Accept-Encoding=gzip, deflate, sdch</font></div>
<div><font face="monospace, monospace">
header=DNT=1</font></div>
<div><font face="monospace, monospace">
header=Pragma=no-cache</font></div>
<div><font face="monospace, monospace">
header=X-Original-To=192.168.33.80</font></div>
<div><font face="monospace, monospace">
header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/50.0.2661.102 Safari/537.36</font></div>
<div><font face="monospace, monospace">
header=Authorization=Basic
bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-Proto=https</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-Port=443</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-For=192.168.33.1</font></div>
<div><font face="monospace, monospace">
header=Referer=<a href="https://login.vagrant.dev/auth/" target="_blank">https://login.vagrant.dev/auth/</a></font></div>
<div><font face="monospace, monospace">
header=Host=login.vagrant.dev</font></div>
<div><font face="monospace, monospace">
locale=[en_US, en, de]</font></div>
<div><font face="monospace, monospace">
method=GET</font></div>
<div><font face="monospace, monospace">
protocol=HTTP/1.1</font></div>
<div><font face="monospace, monospace"> queryString=</font></div>
<div><font face="monospace, monospace"> remoteAddr=<a href="http://192.168.33.1:0" target="_blank">192.168.33.1:0</a></font></div>
<div><font face="monospace, monospace">
remoteHost=192.168.33.1</font></div>
<div><font face="monospace, monospace">
scheme=https</font></div>
<div><font face="monospace, monospace">
host=login.vagrant.dev</font></div>
<div><font face="monospace, monospace">
serverPort=443</font></div>
<div><font face="monospace, monospace">--------------------------RESPONSE--------------------------</font></div>
<div><font face="monospace, monospace">
contentLength=627</font></div>
<div><font face="monospace, monospace">
contentType=application/octet-stream</font></div>
<div><font face="monospace, monospace">
header=Cache-Control=max-age=2592000</font></div>
<div><font face="monospace, monospace">
header=X-Powered-By=Undertow/1</font></div>
<div><font face="monospace, monospace">
header=Server=WildFly/10</font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Hope this helps diagnosing your issue. Niels</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, May 24, 2016 at 1:20 AM, Aritz
Maeztu <span dir="ltr"><<a href="mailto:amaeztu@tesicnor.com" target="_blank">amaeztu@tesicnor.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I'm using keycloak to securize some Spring based
services (with the keycloak spring security adapter).
The adapter creates a `/login` endpoint in each of the
services which redirects to the keycloak login page and
then redirects back to the service when authentication
is done. I also have a proxy service which I want to
publish in the 80 port and will take care of routing all
the requests to each service. The proxy performs a plain
FORWARD to the service, but the problem comes when I
securize the service with the keycloak adapter. <br>
</p>
<p>When I make a request, the adapter redirects to its
login endpoint and then to the keycloak auth url. When
keycloak sends the redirection, the url shown in the
browser is the one from the service and not the one from
the proxy. Do I have some choice to tell the adapter I
want to redirect back to the first requested url?<span><font color="#888888"><br>
</font></span></p>
<span><font color="#888888"> <br>
<div>-- <br>
<div>
<table style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898">
<span style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span style="font-size:12px">Departamento
Desarrollo de Software</span> </td>
<td style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px">
<a href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES" target="_blank"> <img src="cid:part6.FD024C39.621ED688@tesicnor.com" border="0"> </a> </td>
</tr>
<tr>
<td> <a href="http://www.tesicnor.com" target="_blank"> <img src="cid:part8.4104D11E.6BF9DD4E@tesicnor.com" border="0" width="143"> </a> </td>
<td style="font-size:12px">
<p style="padding-left:20px"> <span>Pol.
Ind. Mocholi.</span> <span>C/Rio
Elorz, Nave 13E </span><span style="font-weight:bold">31110 Noain
(Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span style="color:#009900;font-size:12px">Antes
de imprimir este e-mail piense bien si
es necesario hacerlo: El medioambiente
es cosa de todos.</span> </td>
</tr>
</tbody>
</table>
</div>
</div>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div>-- <br>
<div>
<table style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898"> <span style="font-weight:bold">Aritz Maeztu Otaño</span><br>
<span style="font-size:12px">Departamento Desarrollo
de Software</span> </td>
<td style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px"> <a href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES" target="_blank">
<img src="cid:part12.1702FD25.8F39C20A@tesicnor.com" border="0">
</a> </td>
</tr>
<tr>
<td> <a href="http://www.tesicnor.com" target="_blank"> <img src="cid:part14.B9A7077B.DEE28425@tesicnor.com" border="0" width="143">
</a> </td>
<td style="font-size:12px">
<p style="padding-left:20px"> <span>Pol. Ind.
Mocholi.</span> <span>C/Rio Elorz, Nave 13E </span><span style="font-weight:bold">31110 Noain (Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span style="color:#009900;font-size:12px">Antes de imprimir este e-mail piense bien si es
necesario hacerlo: El medioambiente es cosa de todos.</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>