3:04 a.m.
Hi,
Yes the problem is definitely on the proxy setup, but what is the
problem?
I am not so familiar with the jboss/wildfly (tomcat is usually my weapon
of choice). So I am not sure what I am missing.
And yes, if I create ssh tunnel to the KC server I can login and
everything is working just like I expected.
I tried the search before I posted the question, because I didn't find
the answer.
If the httpd and KC are on same server everything works. That was my
previous setup, but now I want to dedicate one server just for reverse
proxy role.
-Keijo
On 2017-02-03 10:32, Stian Thorgersen wrote:
Is everything working fine if you go directly to the Keycloak
server?
Someone reported a similar issue a few weeks ago and it turned out to
be an issue in the proxy setup. I can't remember the details, but
maybe you can find it on http://www.keycloak.org/search.html
On 2 February 2017 at 18:04, <keijo.korte(a)kvak.net> wrote:
> Hi,
>
> Setup:
> OS: Centos 6.8
> Keycloak version, 2.5.1-FINAL
> httpd version 2.2.15
>
> I have configured httpd as a SSL off loading reverse proxy for
> Keycloak
> server. The proxy and the Keycloak are on different servers.
> Basically everything works fine, but I can't log in because I am
> been
> redirected back to the square one all the time.
>
> Here is the flow:
>
> GET https://idp.xxx.net/auth/admin/ [1]
>
> GET
>
https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien...
> [2]
>
> POST
>
https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH...
> [3]
>
> GET
>
https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8...
> [4]
>
> GET lots of resources: /config, login-status-iframe.html, /token,
> /messages.json and so on
>
> GET
>
https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien...
> [5]
>
> and the same thing from the start. Forever.
>
> httpd configuration for SSL:
>
> *****
> <VirtualHost *:443>
> ServerName idp.xxx.net [6]
> ServerAdmin webmaster(a)xxx.net
> DocumentRoot /var/www/html/
> <Directory />
> Order deny,allow
> Allow from all
> Options FollowSymLinks
> AllowOverride None
> </Directory>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> ProxyRequests Off
> RequestHeader set X-Forwarded-Proto "https"
> RequestHeader set X-Forwarded-Port "443"
> ProxyPreserveHost on
> ProxyPass / http://172.16.22.12:8080/ keepalive=On
> ProxyPassReverse / http://172.16.22.12:8080/
> + lots of cipher suite setting and so on.
> *****
>
> WildFly configuration:
>
> *****
> <server name="default-server">
> <http-listener name="default"
> proxy-address-forwarding="true" socket-binding="http"
> redirect-socket="proxy-https"/>
> <host name="default-host" alias="localhost
> idp.xxx.net [6]">
> <location name="/" handler="welcome-content"/>
> <filter-ref name="server-header"/>
> <filter-ref name="x-powered-by-header"/>
> </host>
> </server>
>
> ....
>
> <socket-binding-group name="standard-sockets"
> default-interface="any"
> port-offset="${jboss.socket.binding.port-offset:0}">
> <socket-binding name="management-http"
> interface="management"
> port="${jboss.management.http.port:9990}"/>
> <socket-binding name="management-https"
> interface="management"
> port="${jboss.management.https.port:9993}"/>
> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
> <socket-binding name="http"
> port="${jboss.http.port:8080}"/>
> <socket-binding name="proxy-https" port="443"/>
> <socket-binding name="https"
> port="${jboss.https.port:8443}"/>
> <socket-binding name="txn-recovery-environment"
> port="4712"/>
> <socket-binding name="txn-status-manager" port="4713"/>
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost" port="25"/>
> </outbound-socket-binding>
> </socket-binding-group>
>
> *****
>
> Does someone has some kind of clue why I am been redirected?
> First I think that this was some kind of http/https redirect
> problem,
> but when I enabled requestdumper @ wildfly I can see that everything
> is
> HTTPS.
>
> *****
>
> ----------------------------REQUEST---------------------------
> URI=/
> characterEncoding=null
> contentLength=-1
> contentType=null
>
>
header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> header=Accept-Language=en-US,en;q=0.5
> header=Accept-Encoding=gzip, deflate, br
> header=X-Forwarded-Server=idp.xxx.net [6]
> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS
> X
> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0
> header=Connection=Keep-Alive
> header=X-Forwarded-Proto=https
> header=X-Forwarded-Port=443
> header=X-Forwarded-For=88.12.13.14
> header=Upgrade-Insecure-Requests=1
> header=Host=idp.xxx.net [6]
> header=X-Forwarded-Host=idp.xxx.net [6]
> locale=[en_US, en]
> method=GET
> protocol=HTTP/1.1
> queryString=
> remoteAddr=88.12.13.14:0 [7]
> remoteHost=88.12.13.14
> scheme=https
> host=idp.xxx.net [6]
> serverPort=443
> *****
>
> -Keijo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user [8]
Links:
------
[1] https://idp.xxx.net/auth/admin/
[2]
https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien...
[3]
https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH...
[4]
https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8...
[5]
https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien...
[6] http://idp.xxx.net
[7] http://88.12.13.14:0
[8] https://lists.jboss.org/mailman/listinfo/keycloak-user