<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">This is set from the HTTP request url,
so it looks that your Keycloak is seeing "<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><a class="moz-txt-link-rfc2396E" href="http://machine01.our.domain:8081/auth">"http://machine01.our.domain:8081/auth"</a>
as the request URL instead of "</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><a class="moz-txt-link-freetext" href="http://lb.our.domain/auth/admin/governance/console/config">http://lb.our.domain/auth/admin/governance/console/config</a>"
. Maybe the set of </span><code>X-Forwarded-Host on your LB
side?<br>
<br>
Marek<br>
<br>
</code>On 08/09/16 13:05, KASALA Štefan wrote:<br>
</div>
<blockquote cite="mid:5aa71214e04e41a9babc330b2467f6f3@posam.sk"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Finally
we upgraded to Keycloak 2.1.0.Final. We have configured
Apache httpd proxy in front of the server. We configured
keycloak server according to
<a moz-do-not-send="true"
href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html">https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html</a>.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The
configuration is still not complete/correct, probably I
missed something. When I access proxied url for either of
our configured realms I got unproxied auth-server-url:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">[localuser@machine01:~/keycloak]$
curl -s
<a class="moz-txt-link-freetext" href="http://lb.our.domain/auth/admin/governance/console/config">http://lb.our.domain/auth/admin/governance/console/config</a> |
python -m json.tool<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">{<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"auth-server-url": <a class="moz-txt-link-rfc2396E" href="http://machine01.our.domain:8081/auth">"http://machine01.our.domain:8081/auth"</a>,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"public-client": true,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"realm": "governance",<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"resource": "security-admin-console",<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"ssl-required": "external"<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">}<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">[localuser@machine01:~/keycloak]$
curl -s
<a class="moz-txt-link-freetext" href="http://lb.our.domain/auth/admin/master/console/config">http://lb.our.domain/auth/admin/master/console/config</a> |
python -m json.tool<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">{<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"auth-server-url": <a class="moz-txt-link-rfc2396E" href="http://machine01.our.domain:8081/auth">"http://machine01.our.domain:8081/auth"</a>,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"public-client": true,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"realm": "master",<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB",<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"resource": "security-admin-console",<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
"ssl-required": "external"<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">}<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">How
can I configure it to return the proxied version? Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Stefan.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Stian Thorgersen [<a class="moz-txt-link-freetext" href="mailto:sthorger@redhat.com">mailto:sthorger@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, June 28, 2016 3:51 PM<br>
<b>To:</b> KASALA Štefan <a class="moz-txt-link-rfc2396E" href="mailto:Stefan.Kasala@posam.sk"><Stefan.Kasala@posam.sk></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Getting 401 if trying to
access app via loadbalancer<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Firstly, please upgrade to a more recent
Keycloak version. Then refer to <a moz-do-not-send="true"
href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html">https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html</a>
for details on how to setup a reverse proxy / load balancer
in front of Keycloak.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 27 June 2016 at 09:18, KASALA Štefan
<<a moz-do-not-send="true"
href="mailto:Stefan.Kasala@posam.sk" target="_blank">Stefan.Kasala@posam.sk</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif">Hello,</span><o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif">we
have installed JBoss Overlord Rtgov 2.1.0 which
is using Keycloak 1.2.0.Beta1. It is running on
JBoss EAP 6.3, I will name it with hostname
app01. We have a load balancer under another
hostname lb</span><span
style="font-size:9.5pt;font-family:"Verdana",sans-serif">app </span><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif">in
front of the deployed app. I am able to call the
rest interface of RtGov directly on machine </span><span
style="font-size:9.5pt;font-family:"Verdana",sans-serif">app01
but not using lbapp, I get 401 - Unauthorized
from Keycloak. My guess is there is some check
against hostname in http request. Is there some
possibility to register aliases with the
keycloak to enable calls via load balancer?
Thanks.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:9.5pt;font-family:"Verdana",sans-serif">Stefan
Kasala</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr align="center" size="2" width="100%">
</div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray"><br>
Táto správa je určená iba pre uvedeného príjemcu a
môže obsahovať dôverné alebo interné informácie. Ak
ste ju omylom obdržali, upovedomte o tom prosím
odosielateľa a vymažte ju. Akýkoľvek iný spôsob
použitia tohto e-mailu je zakázaný.<br>
<br>
This message is for the designated recipient only
and may contain confidential or internal
information. If you have received it in error,
please notify the sender immediately and delete the
original. Any other use of the e-mail by you is
prohibited.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
Táto správa je určená iba pre uvedeného príjemcu a môže
obsahovať dôverné alebo interné informácie. Ak ste ju omylom
obdržali, upovedomte o tom prosím odosielateľa a vymažte ju.
Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.<br>
<br>
This message is for the designated recipient only and may
contain confidential or internal information. If you have
received it in error, please notify the sender immediately and
delete the original. Any other use of the e-mail by you is
prohibited.<br>
</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<p><br>
</p>
</body>
</html>