Re: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy

Maybe take a look at advice in this thread: http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace <cjwallac(a)gmail.com&gt; wrote: > Marko, Thanks for your feedback! > > We have successfully pass that problem and are able to login to KEYCLOAK > behind NGINX using HTTPS Proxy. Our challenge now is when our applications > attempt to access we get the following error: > > Request URL: > https://sso2.company.com/auth/realms/master/tokens/access/codes > Request Method: > POST > Status Code: > 400 Bad Request > Remote Address: > 99.99.99.99:443 > > Response Headersview source > > Connection: > keep-alive > Content-Type: > application/json > Date: > Thu, 14 Jan 2016 14:35:52 GMT > Server: > nginx/1.4.6 (Ubuntu) > Transfer-Encoding: > chunked > X-Powered-By: > Undertow/1 > > Request Headersview source > > Accept: > */* > Accept-Encoding: > gzip, deflate > Accept-Language: > en-US,en;q=0.8 > Authorization: > Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ > Connection: > keep-alive > Content-Length: > 172 > Content-type: > application/x-www-form-urlencoded > Cookie: > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k > DNT: > 1 > Host: > sso2.company.com > Origin: > http://app.local.company.com > Referer: > http://app.local.company.com/App/ > User-Agent: > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, > like Gecko) Chrome/47.0.2526.106 Safari/537.36 > > Form Dataview sourceview URL encoded > > code: > Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2 > redirect_uri: > http://app.local.company.com/App/ > > Please do note that this same application is able KEYCLOAK using basically > the same configuration without NGINX in the MIX. Have any thoughts was to > what we should look to configure differently with NGIX in the mix? > > On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj <mstrukel(a)redhat.com&gt; wrote: >> >> The error 'org.apache.http.conn.HttpHostConnectException: Connection to >> https://sso2.domain.com refused' means that either there is a server side >> problem - your Nginx isn't started and listening on port 443, a firewall >> preventing incoming connections - or there is a client side problem - a DNS >> issue improperly resolving sso2.domain.com into IP on the host where Tomcat >> is running. >> >> At this point no SSL handshaking was attempted yet. >> >> If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com 443' >> from the server running your Tomcat you'll see the same issue. Once that >> starts to work, only then will any SSL / proxying related configuration >> issues start to manifest themselves. >> >> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace < cjwallac(a)gmail.com&gt; >> wrote: >>> >>> Community, I have spent a decent amount of time attempting to get >>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It >>> does work without the proxy, but I need the proxy to handle certificates. I >>> think I am pretty close to having it working, but somethings seems to be >>> missing... I have done the following. I appreciate any insight you may have >>> as I think I have exhausted other resources. >>> >>> 1. Configure a server in NGINX >>> >>> server { >>> >>> listen 443; >>> >>> >>> ssl on; >>> >>> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; >>> >>> ssl_certificate_key /etc/ssl/certs/*.domain.key; >>> >>> >>> server_name sso2. domain.com; >>> >>> access_log /var/log/nginx/nginx.sso.access.log; >>> >>> error_log /var/log/nginx/nginx.sso.error.log; >>> >>> location / { >>> >>> proxy_set_header Host $host; >>> >>> proxy_set_header X-Real-IP $remote_addr; >>> >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> >>> proxy_set_header X-Forwarded-Proto $scheme; >>> >>> proxy_set_header X-Forwarded-Port 443; >>> >>> proxy_pass http://internalip:8080; >>> >>> } >>> >>> } >>> >>> 2. Enable SSL on a Reverse Proxy >>> >>> First add proxy-address-forwarding and redirect-socket to the >>> http-listener element: >>> >>> <subsystem xmlns="urn:jboss:domain:undertow:1.1"> >>> ... >>> <http-listener name="default" socket-binding="http" >>> proxy-address-forwarding="true" redirect-socket="proxy-https"/> >>> ... >>> </subsystem> >>> >>> Then add a new socket-binding element to the socket-binding-group >>> element: >>> >>> <socket-binding-group name="standard-sockets" default-interface="public" >>> port-offset="${jboss.socket.binding.port-offset:0}"> >>> ... >>> <socket-binding name="proxy-https" port="443"/> >>> ... >>> </socket-binding-group> >>> >>> >>> RECIVE THE FOLLOWING ERROR in TOMCAT: >>> >>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - >>> failed to turn code into token >>> >>> org.apache.http.conn.HttpHostConnectException: Connection to >>> https://sso2.domain.com refused >>> >>> at >>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) >>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) >>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) >>> [lib/:na] >>> >>> at >>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >>> [lib/:na] >>> >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >>> [lib/:na] >>> >>> at >>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >>> [lib/:na] >>> >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >>> [lib/:na] >>> >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >>> [lib/:na] >>> >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> org.apache.tomcat.util.net .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> org.apache.tomcat.util.net .NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> [na:1.8.0_25] >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> [na:1.8.0_25] >>> >>> at >>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>> [tomcat-util.jar:8.0.18] >>> >>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] >>> >>> Caused by: java.net.ConnectException: Connection timed out >>> >>> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25] >>> >>> at >>> java.net .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) >>> ~[na:1.8.0_25] >>> >>> at >>> java.net .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) >>> ~[na:1.8.0_25] >>> >>> at >>> java.net .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >>> ~[na:1.8.0_25] >>> >>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >>> ~[na:1.8.0_25] >>> >>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] >>> >>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) >>> ~[na:1.8.0_25] >>> >>> at >>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> ... 29 common frames omitted >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >