3:58 p.m.
Ended up figuring this out, just to save whatever poor soul has to go down
the same/similar path here's what I did. I'm curious why I didn't get any
errors when running keycloak with debug logging turned on as this must be
some kind of host re-write problem with wildfly/keycloak.
First the only configuration I had to set in standalone.xml was (I removed
all the other custom configurations I had in place the rest is the vanilla
standalone.xml )
<http-listener name="http-default" socket-binding="http"
redirect-socket="https" proxy-address-forwarding="true"/>
Wildfly10 Docs for this:
https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configura...
Nginx configuration:
server {
listen 80;
server_name keycloak_testing.leveldatadevelopment.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name keycloak_testing.leveldatadevelopment.com;
ssl_certificate /etc/nginx/ssl/star.leveldatadevelopment.com.crt;
ssl_certificate_key /etc/nginx/ssl/star.leveldatadevelopment.com.key;
location / {
proxy_set_header *Host $host*;
proxy_set_header X-Real-IP $remote_addr; #*Not sure this is
needed for wildfly/keycloak*
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://0.0.0.0:8080;
}
}
Note the Host different, with Host $host:$server_port; I receive a white
page when logging into the admin URL. *Why would this happen*? Only mention
of the host header I could find in the wildFly documentation is
https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configura...
Also to get past the invalid_redirect_uri issue,
1. Run keycloak locally
2. Go to the Clients settings in the Master Realm
3. Click edit on the security-admin-console client id (You may also have
to do this with the account client ID I'm not certain)
4. Add valid redirect URI's for your new domain, for example
https://website.com/* (Docs tell you to be as limited as possible with
these so in production limit down your redirect URI's as much as possible)
Hope this helps someone in the future! What do you think? Should this be
added to the documentation somewhere or should some kind of error be thrown
in this circumstance? I'm not certain if it's Wildfly or keycloak causing
this to happen I didn't dig quite hard enough to find out :(
On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch <derek.visch(a)gmail.com> wrote:
Trying to setup reverse SSL for keycloak. Having issues finding
documentation about this, it's mentioned in
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
but the extra detail that's supposed to be in
https://keycloak.gitbooks.io/server-adminstration-guide/content/ I could
not find in regards to reverse SSL proxys.
Regardless I ended up following
http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html
From that previous mailling list post:
Follow the documentation for your web server to enable SSL and configure reverse proxy
for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For
and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable
proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy
doesn't use port 8443 for SSL you also need to configure what port http traffic is
redirected to. This is done by editing standalone/configuration/standalone.xml.
First add proxy-address-forwarding and redirect-socket to the http-listener element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group>
but now when I go to log on to the admin console I get "We're sorry ...
Invalid aparameter: redirect uri".
Tried stack overflow / google / IRC. No luck so far.
Any help would be appreciated :D
Thanks
--
*Derek Visch* / Software Developer / Network Technician
dvisch(a)leveldata.com <bipema(a)leveldata.com> / Direct: 269-488-2037
*Level Data Inc.*
Office: 866.511.3282
4787 Campus Dr. | Kalamazoo, MI 49008
http://www.leveldata.com
5:51 a.m.
New subject: Reverse Proxy - SSL Termination - Invalid parameter: redirect uri
We have some docs for this here
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
Marek
On 01/08/16 22:58, Derek Visch wrote:
Ended up figuring this out, just to save whatever poor soul has to go
down the same/similar path here's what I did. I'm curious why I didn't
get any errors when running keycloak with debug logging turned on as
this must be some kind of host re-write problem with wildfly/keycloak.
First the only configuration I had to set in standalone.xml was (I
removed all the other custom configurations I had in place the rest is
the vanilla standalone.xml )
<http-listener name="http-default" socket-binding="http"
redirect-socket="https" proxy-address-forwarding="true"/>
Wildfly10 Docs for this:
https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configura...
Nginx configuration:
server {
listen 80;
server_name keycloak_testing.leveldatadevelopment.com
<http://keycloak_testing.leveldatadevelopment.com>;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name keycloak_testing.leveldatadevelopment.com
<http://keycloak_testing.leveldatadevelopment.com>;
ssl_certificate /etc/nginx/ssl/star.leveldatadevelopment.com.crt;
ssl_certificate_key /etc/nginx/ssl/star.leveldatadevelopment.com.key;
location / {
proxy_set_header *Host $host*;
proxy_set_header X-Real-IP $remote_addr; #*Not sure this is
needed for wildfly/keycloak*
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://0.0.0.0:8080;
}
}
Note the Host different, with Host $host:$server_port; I receive a
white page when logging into the admin URL. *Why would this happen*?
Only mention of the host header I could find in the wildFly
documentation is
https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configura...
Also to get past the invalid_redirect_uri issue,
1. Run keycloak locally
2. Go to the Clients settings in the Master Realm
3. Click edit on the security-admin-console client id (You may also
have to do this with the account client ID I'm not certain)
4. Add valid redirect URI's for your new domain, for example
https://website.com/* (Docs tell you to be as limited as possible
with these so in production limit down your redirect URI's as much
as possible)
Hope this helps someone in the future! What do you think? Should this
be added to the documentation somewhere or should some kind of error
be thrown in this circumstance? I'm not certain if it's Wildfly or
keycloak causing this to happen I didn't dig quite hard enough to find
out :(
On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch <derek.visch(a)gmail.com
<mailto:derek.visch@gmail.com>> wrote:
Trying to setup reverse SSL for keycloak. Having issues finding
documentation about this, it's mentioned in
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
but the extra detail that's supposed to be in
https://keycloak.gitbooks.io/server-adminstration-guide/content/ I
could not find in regards to reverse SSL proxys.
Regardless I ended up following
http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html
From that previous mailling list post:
Follow the documentation for your web server to enable SSL and configure reverse
proxy for Keycloak. It is important that you make sure the web server sets the
X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you
need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your
reverse proxy doesn't use port 8443 for SSL you also need to configure what port http
traffic is redirected to. This is done by editing
standalone/configuration/standalone.xml.
First add proxy-address-forwarding and redirect-socket to the http-listener element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group>
but now when I go to log on to the admin console I get "We're
sorry ... Invalid aparameter: redirect uri".
Tried stack overflow / google / IRC. No luck so far.
Any help would be appreciated :D
Thanks
--
*Derek Visch* / Software Developer / Network Technician
dvisch(a)leveldata.com <mailto:bipema@leveldata.com> / Direct: 269-488-2037
*Level Data Inc.*
Office: 866.511.3282
4787 Campus Dr. | Kalamazoo, MI 49008
http://www.leveldata.com <http://www.leveldata.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3081
days inactive
3084
days old
1 comments
2 participants
participants (2)
-
Derek Visch -
Marek Posolda