Re: [keycloak-user] Keycloak admin-panel. Infinite loop.

Hi, Yes the problem is definitely on the proxy setup, but what is the problem? I am not so familiar with the jboss/wildfly (tomcat is usually my weapon of choice). So I am not sure what I am missing. And yes, if I create ssh tunnel to the KC server I can login and everything is working just like I expected. I tried the search before I posted the question, because I didn't find the answer. If the httpd and KC are on same server everything works. That was my previous setup, but now I want to dedicate one server just for reverse proxy role. -Keijo On 2017-02-03 10:32, Stian Thorgersen wrote: > Is everything working fine if you go directly to the Keycloak server? > Someone reported a similar issue a few weeks ago and it turned out to > be an issue in the proxy setup. I can't remember the details, but > maybe you can find it on http://www.keycloak.org/search.html > > On 2 February 2017 at 18:04, <keijo.korte(a)kvak.net&gt; wrote: > >> Hi, >> >> Setup: >> OS: Centos 6.8 >> Keycloak version, 2.5.1-FINAL >> httpd version 2.2.15 >> >> I have configured httpd as a SSL off loading reverse proxy for >> Keycloak >> server. The proxy and the Keycloak are on different servers. >> Basically everything works fine, but I can't log in because I am >> been >> redirected back to the square one all the time. >> >> Here is the flow: >> >> GET https://idp.xxx.net/auth/admin/ [1] >> >> GET >> > https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien... >> [2] >> >> POST >> > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH... >> [3] >> >> GET >> > https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8... >> [4] >> >> GET lots of resources: /config, login-status-iframe.html, /token, >> /messages.json and so on >> >> GET >> > https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien... >> [5] >> >> and the same thing from the start. Forever. >> >> httpd configuration for SSL: >> >> ***** >> <VirtualHost *:443> >> ServerName idp.xxx.net [6] >> ServerAdmin webmaster(a)xxx.net >> DocumentRoot /var/www/html/ >> <Directory /> >> Order deny,allow >> Allow from all >> Options FollowSymLinks >> AllowOverride None >> </Directory> >> <Proxy *> >> Order deny,allow >> Allow from all >> </Proxy> >> ProxyRequests Off >> RequestHeader set X-Forwarded-Proto "https" >> RequestHeader set X-Forwarded-Port "443" >> ProxyPreserveHost on >> ProxyPass / http://172.16.22.12:8080/ keepalive=On >> ProxyPassReverse / http://172.16.22.12:8080/ >> + lots of cipher suite setting and so on. >> ***** >> >> WildFly configuration: >> >> ***** >> <server name="default-server"> >> <http-listener name="default" >> proxy-address-forwarding="true" socket-binding="http" >> redirect-socket="proxy-https"/> >> <host name="default-host" alias="localhost >> idp.xxx.net [6]"> >> <location name="/" handler="welcome-content"/> >> <filter-ref name="server-header"/> >> <filter-ref name="x-powered-by-header"/> >> </host> >> </server> >> >> .... >> >> <socket-binding-group name="standard-sockets" >> default-interface="any" >> port-offset="${jboss.socket.binding.port-offset:0}"> >> <socket-binding name="management-http" >> interface="management" >> port="${jboss.management.http.port:9990}"/> >> <socket-binding name="management-https" >> interface="management" >> port="${jboss.management.https.port:9993}"/> >> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> >> <socket-binding name="http" >> port="${jboss.http.port:8080}"/> >> <socket-binding name="proxy-https" port="443"/> >> <socket-binding name="https" >> port="${jboss.https.port:8443}"/> >> <socket-binding name="txn-recovery-environment" >> port="4712"/> >> <socket-binding name="txn-status-manager" port="4713"/> >> <outbound-socket-binding name="mail-smtp"> >> <remote-destination host="localhost" port="25"/> >> </outbound-socket-binding> >> </socket-binding-group> >> >> ***** >> >> Does someone has some kind of clue why I am been redirected? >> First I think that this was some kind of http/https redirect >> problem, >> but when I enabled requestdumper @ wildfly I can see that everything >> is >> HTTPS. >> >> ***** >> >> ----------------------------REQUEST--------------------------- >> URI=/ >> characterEncoding=null >> contentLength=-1 >> contentType=null >> >> > header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> header=Accept-Language=en-US,en;q=0.5 >> header=Accept-Encoding=gzip, deflate, br >> header=X-Forwarded-Server=idp.xxx.net [6] >> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS >> X >> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0 >> header=Connection=Keep-Alive >> header=X-Forwarded-Proto=https >> header=X-Forwarded-Port=443 >> header=X-Forwarded-For=88.12.13.14 >> header=Upgrade-Insecure-Requests=1 >> header=Host=idp.xxx.net [6] >> header=X-Forwarded-Host=idp.xxx.net [6] >> locale=[en_US, en] >> method=GET >> protocol=HTTP/1.1 >> queryString= >> remoteAddr=88.12.13.14:0 [7] >> remoteHost=88.12.13.14 >> scheme=https >> host=idp.xxx.net [6] >> serverPort=443 >> ***** >> >> -Keijo >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user [8] > > > Links: > ------ > [1] https://idp.xxx.net/auth/admin/ > [2] > https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien... > [3] > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH... > [4] > https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8... > [5] > https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien... > [6] http://idp.xxx.net > [7] http://88.12.13.14:0 > [8] https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user