7:54 a.m.
If I remember correctly it was something to do with a duplicated header or
something. The guy figured it out on his own, so I really can't remember.
Sorry.
On 3 February 2017 at 10:04, <keijo.korte(a)kvak.net> wrote:
Hi,
Yes the problem is definitely on the proxy setup, but what is the
problem?
I am not so familiar with the jboss/wildfly (tomcat is usually my weapon
of choice). So I am not sure what I am missing.
And yes, if I create ssh tunnel to the KC server I can login and
everything is working just like I expected.
I tried the search before I posted the question, because I didn't find
the answer.
If the httpd and KC are on same server everything works. That was my
previous setup, but now I want to dedicate one server just for reverse
proxy role.
-Keijo
On 2017-02-03 10:32, Stian Thorgersen wrote:
> Is everything working fine if you go directly to the Keycloak server?
> Someone reported a similar issue a few weeks ago and it turned out to
> be an issue in the proxy setup. I can't remember the details, but
> maybe you can find it on http://www.keycloak.org/search.html
>
> On 2 February 2017 at 18:04, <keijo.korte(a)kvak.net> wrote:
>
>> Hi,
>>
>> Setup:
>> OS: Centos 6.8
>> Keycloak version, 2.5.1-FINAL
>> httpd version 2.2.15
>>
>> I have configured httpd as a SSL off loading reverse proxy for
>> Keycloak
>> server. The proxy and the Keycloak are on different servers.
>> Basically everything works fine, but I can't log in because I am
>> been
>> redirected back to the square one all the time.
>>
>> Here is the flow:
>>
>> GET https://idp.xxx.net/auth/admin/ [1]
>>
>> GET
>>
> https://idp.xxx.net/auth/realms/master/protocol/openid-
connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%
2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=
eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-
ff26-4213-8907-d86febde7b92&response_mode=fragment&
response_type=code&scope=openid
>> [2]
>>
>> POST
>>
> https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=
zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-
4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6
>> [3]
>>
>> GET
>>
> https://idp.xxx.net/auth/admin/master/console/#state=
eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_
UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946
>> [4]
>>
>> GET lots of resources: /config, login-status-iframe.html, /token,
>> /messages.json and so on
>>
>> GET
>>
> https://idp.xxx.net/auth/realms/master/protocol/openid-
connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%
2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%
3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-
b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&
response_mode=fragment&response_type=code&scope=openid
>> [5]
>>
>> and the same thing from the start. Forever.
>>
>> httpd configuration for SSL:
>>
>> *****
>> <VirtualHost *:443>
>> ServerName idp.xxx.net [6]
>> ServerAdmin webmaster(a)xxx.net
>> DocumentRoot /var/www/html/
>> <Directory />
>> Order deny,allow
>> Allow from all
>> Options FollowSymLinks
>> AllowOverride None
>> </Directory>
>> <Proxy *>
>> Order deny,allow
>> Allow from all
>> </Proxy>
>> ProxyRequests Off
>> RequestHeader set X-Forwarded-Proto "https"
>> RequestHeader set X-Forwarded-Port "443"
>> ProxyPreserveHost on
>> ProxyPass / http://172.16.22.12:8080/ keepalive=On
>> ProxyPassReverse / http://172.16.22.12:8080/
>> + lots of cipher suite setting and so on.
>> *****
>>
>> WildFly configuration:
>>
>> *****
>> <server name="default-server">
>> <http-listener name="default"
>> proxy-address-forwarding="true" socket-binding="http"
>> redirect-socket="proxy-https"/>
>> <host name="default-host" alias="localhost
>> idp.xxx.net [6]">
>> <location name="/" handler="welcome-content"/>
>> <filter-ref name="server-header"/>
>> <filter-ref name="x-powered-by-header"/>
>> </host>
>> </server>
>>
>> ....
>>
>> <socket-binding-group name="standard-sockets"
>> default-interface="any"
>> port-offset="${jboss.socket.binding.port-offset:0}">
>> <socket-binding name="management-http"
>> interface="management"
>> port="${jboss.management.http.port:9990}"/>
>> <socket-binding name="management-https"
>> interface="management"
>> port="${jboss.management.https.port:9993}"/>
>> <socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
>> <socket-binding name="http"
>> port="${jboss.http.port:8080}"/>
>> <socket-binding name="proxy-https" port="443"/>
>> <socket-binding name="https"
>> port="${jboss.https.port:8443}"/>
>> <socket-binding name="txn-recovery-environment"
>> port="4712"/>
>> <socket-binding name="txn-status-manager"
port="4713"/>
>> <outbound-socket-binding name="mail-smtp">
>> <remote-destination host="localhost" port="25"/>
>> </outbound-socket-binding>
>> </socket-binding-group>
>>
>> *****
>>
>> Does someone has some kind of clue why I am been redirected?
>> First I think that this was some kind of http/https redirect
>> problem,
>> but when I enabled requestdumper @ wildfly I can see that everything
>> is
>> HTTPS.
>>
>> *****
>>
>> ----------------------------REQUEST---------------------------
>> URI=/
>> characterEncoding=null
>> contentLength=-1
>> contentType=null
>>
>>
> header=Accept=text/html,application/xhtml+xml,
application/xml;q=0.9,*/*;q=0.8
>> header=Accept-Language=en-US,en;q=0.5
>> header=Accept-Encoding=gzip, deflate, br
>> header=X-Forwarded-Server=idp.xxx.net [6]
>> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS
>> X
>> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0
>> header=Connection=Keep-Alive
>> header=X-Forwarded-Proto=https
>> header=X-Forwarded-Port=443
>> header=X-Forwarded-For=88.12.13.14
>> header=Upgrade-Insecure-Requests=1
>> header=Host=idp.xxx.net [6]
>> header=X-Forwarded-Host=idp.xxx.net [6]
>> locale=[en_US, en]
>> method=GET
>> protocol=HTTP/1.1
>> queryString=
>> remoteAddr=88.12.13.14:0 [7]
>> remoteHost=88.12.13.14
>> scheme=https
>> host=idp.xxx.net [6]
>> serverPort=443
>> *****
>>
>> -Keijo
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user [8]
>
>
>
> Links:
> ------
> [1] https://idp.xxx.net/auth/admin/
> [2]
> https://idp.xxx.net/auth/realms/master/protocol/openid-
connect/auth?client_id=security-admin-console&
redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%
2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530-
645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_
mode=fragment&response_type=code&scope=openid
> [3]
> https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=
zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-
4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6
> [4]
> https://idp.xxx.net/auth/admin/master/console/#state=
eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_
UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946
> [5]
> https://idp.xxx.net/auth/realms/master/protocol/openid-
connect/auth?client_id=security-admin-console&
redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%
2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&
amp;state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce=
4284a896-6694-4af8-9c91-71e4050455a2&response_
mode=fragment&response_type=code&scope=openid
> [6] http://idp.xxx.net
> [7] http://88.12.13.14:0
> [8] https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user