This is set from the HTTP request url, so it looks that your Keycloak is
seeing ""http://machine01.our.domain:8081/auth" as the request URL
instead of "http://lb.our.domain/auth/admin/governance/console/config" .
Maybe the set of |X-Forwarded-Host on your LB side?
Marek
|On 08/09/16 13:05, KASALA Štefan wrote:
Hello,
Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache
httpd proxy in front of the server. We configured keycloak server
according to
https://keycloak.gitbooks.io/server-installation-and-configuration/conten....
The configuration is still not complete/correct, probably I missed
something. When I access proxied url for either of our configured
realms I got unproxied auth-server-url:
[localuser@machine01:~/keycloak]$ curl -s
http://lb.our.domain/auth/admin/governance/console/config | python -m
json.tool
{
"auth-server-url": "http://machine01.our.domain:8081/auth",
"public-client": true,
"realm": "governance",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"resource": "security-admin-console",
"ssl-required": "external"
}
[localuser@machine01:~/keycloak]$ curl -s
http://lb.our.domain/auth/admin/master/console/config | python -m
json.tool
{
"auth-server-url": "http://machine01.our.domain:8081/auth",
"public-client": true,
"realm": "master",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB",
"resource": "security-admin-console",
"ssl-required": "external"
}
How can I configure it to return the proxied version? Thanks.
Stefan.
*From:*Stian Thorgersen [mailto:sthorger@redhat.com]
*Sent:* Tuesday, June 28, 2016 3:51 PM
*To:* KASALA Štefan <Stefan.Kasala(a)posam.sk>
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Getting 401 if trying to access app via
loadbalancer
Firstly, please upgrade to a more recent Keycloak version. Then refer
to
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
for details on how to setup a reverse proxy / load balancer in front
of Keycloak.
On 27 June 2016 at 09:18, KASALA Štefan <Stefan.Kasala(a)posam.sk
<mailto:Stefan.Kasala@posam.sk>> wrote:
Hello,
we have installed JBoss Overlord Rtgov 2.1.0 which is using
Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name
it with hostname app01. We have a load balancer under another
hostname lbapp in front of the deployed app. I am able to call the
rest interface of RtGov directly on machine app01 but not using
lbapp, I get 401 - Unauthorized from Keycloak. My guess is there
is some check against hostname in http request. Is there some
possibility to register aliases with the keycloak to enable calls
via load balancer? Thanks.
Stefan Kasala
------------------------------------------------------------------------
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
dôverné alebo interné informácie. Ak ste ju omylom obdržali,
upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain
confidential or internal information. If you have received it in
error, please notify the sender immediately and delete the
original. Any other use of the e-mail by you is prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------------------------------------------------
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
dôverné alebo interné informácie. Ak ste ju omylom obdržali,
upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain
confidential or internal information. If you have received it in
error, please notify the sender immediately and delete the original.
Any other use of the e-mail by you is prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user