I resolved my issue. The problem was a bad configuration in the web.xml.
There was a Javascript client deployed along with the web application which had issues
with a greedy "url-pattern" used for the security constraint within the
web.xml.
Regards,
Jeremy
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Kie, Jeremy, CYFD
Sent: Tuesday, November 15, 2016 11:41 AM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Reverse Proxy with SSL - Bad Request
Hello,
I've been searching for help with a problem I am encountering. I have reviewed a
number of threads in the archive but none seem to provide enough help for our setup.
Keycloak 2.1.0.Final
Apache as a reverse proxy
When accessing the application -
https://apps-test.simple.com/bacon I get redirected to
our keycloak server, but the redirect_uri is set to
http://apps-test.simple.com/bacon.
When I login successfully, I get redirected, but it results in 400 - Bad Request. I see
the following lines in the app server log file:
2016-11-15 09:49:02,827 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-16) state parameter invalid
2016-11-15 09:49:02,827 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-16) cookie: 53/1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577
2016-11-15 09:49:02,827 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-16) queryParam: 53%2F1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577
I did find this thread
http://lists.jboss.org/pipermail/keycloak-user/2016-January/004449.html
What we want to do is similar, but both the auth and site (thus redirect URI) use SSL.
I'm not sure if this is giving us problems. Any help is greatly appreciated.
Regards,
Jeremy
P.S. Here is our reverse proxy config (slightly redacted)
Timeout 900
ErrorLog syslog
# Exclude all robots
<Location "/robots.txt">
SetHandler None
</Location>
Alias /robots.txt /srv/www/htdocs/robots.txt
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /var/log/apache2/proxy_log proxy env=forwarded
CustomLog /var/log/apache2/access_log combined env=!forwarded </IfModule>
<VirtualHost *:80>
ServerName
apps-test.simple.com
RequestHeader set X-Forwarded-Proto "http"
RedirectMatch ^/$
https://apps-test.simple.com
UseCanonicalName On
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*)
https://%{SERVER_NAME}/%{REQUEST_URI}<https://%25%7bSERVER_NAME%7d/%25%7bREQUEST_URI%7d>
[R,L] </VirtualHost>
<VirtualHost *:443>
ServerName
apps-test.simple.com
SSLEngine on
SSLProxyEngine On
SSLProtocol -ALL +TLSv1
SSLCertificateKeyFile /etc/apache2/ssl.key/rsa_private_key_2015.pem
SSLCertificateFile /etc/apache2/ssl.crt/WC_simple_com_server_2015-16.crt
SSLCertificateChainFile /etc/apache2/ssl.crt/IntermediateCA-SHA2root.crt
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM
RequestHeader unset Range
RequestHeader unset Request-Range
ProxyRequests Off
ProxyPreserveHost On
RequestHeader add X-Forwarded-Ssl on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
RedirectMatch ^/$
https://apps-test.simple.com
<Location "/app1">
ProxyPass "!"
</Location>
<Location "/app2">
ProxyPass "!"
</Location>
<Location /auth/>
ProxyPass
http://keycloak:8080/auth/
ProxyPassReverse
http://keycloak:8080/auth/
ProxyPassReverseCookieDomain
http://keycloak.simple.com
http://apps-test.simple.com
ProxyPassReverseCookiePath / /auth/
</Location>
<Location /bacon/>
ProxyPass
http://internal.simple.com:8080/bacon/
ProxyPassReverse
http://internal.simple.com:8080/bacon/
ProxyPassReverseCookieDomain
http://internal.simple.com
https://apps-test.simple.com
ProxyPassReverseCookiePath / /bacon/
</Location>
</VirtualHost>
ServerSignature Off
ServerTokens Prod
TraceEnable off
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user