Re: [keycloak-user] admin/api interface ip restrictions

On 24 Aug 2018, at 16:15, Jernej Porenta <jernej.porenta(a)3fs.si&gt; wrote: Hey, based on the documentation for IP restrictions (https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction), i’ve tried to set up a filter, which would allow accessing administrative interfaces only from specific IPs. We have used the following commands: /subsystem=undertow/configuration=filter/expression-filter=ipAccess:add(,expression="path-prefix[/auth/admin] -> ip-access-control(acl={‘193.189.160.11/32 allow’})") /subsystem=undertow/server=default-server/host=default-host/filter-ref=ipAccess:add() But unfortunately, this has totally blocked our access to administrative interfaces. We are running this setup in k8s behind Azure Application Gateway and k8s ingress nginx controller. Both proxies have been configured to add `X-Forwarded-For` headers, while we are still receving 403 error. We have dig into the issue a bit more and we got a bit more information: - as it seems Keycloak sees the right IP when we try to login into fake realm 12:29:41,069 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=master, clientId=account, userId=null, ipAddress=193.189.160.11, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://taurus1.siol.net/auth/realms/master/account/login-re..., code_id=13e0eb84-852a-47b0-94e8-d469fb66219d, username=asdfasd - but when we try to access admin console, we get 403. The requestDumper gives us this: ============================================================== 14:13:36,876 INFO [io.undertow.request.dump] (default I/O-6) ----------------------------REQUEST--------------------------- URI=/auth/admin/ characterEncoding=null contentLength=-1 contentType=null cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564 header=X-Real-IP=193.189.160.11 header=Cache-Control=max-age=0 header=Accept-Encoding=gzip, deflate, br header=X-Request-ID=2eb23a96b4fba4324505c7c5df424c64 header=X-Original-Forwarded-For=193.189.160.11:58359 header=X-Scheme=https header=Connection=close header=X-Forwarded-Port=443 header=X-ORIGINAL-HOST=taurus1.siol.net header=X-Forwarded-For=193.189.160.11 header=X-ARR-SSL=3072|256|C=FI, S=Jorvas, L=Jorvas, O=Ericsson, OU=IoT, CN=IoT, E=spam(a)ericsson.com|CN=dev.example.com, S=Stockholm, C=SE, O=Ericsson, OU=Development header=Cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564 header=Host=taurus1.siol.net header=X-Forwarded-Host=taurus1.siol.net header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 header=Accept-Language=en-US,en;q=0.9 header=Max-Forwards=10 header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 header=SEC-WEBSOCKET-EXTENSIONS= header=X-ARR-LOG-ID=5394f13f-d8a8-490b-9853-efd8e115e3a6 header=X-Forwarded-Proto=https header=X-Original-URI=/auth/admin/ header=X-Original-URL=/auth/admin/ header=Upgrade-Insecure-Requests=1 locale=[en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=193.189.160.11:0 remoteHost=193.189.160.11 scheme=https host=taurus1.siol.net serverPort=443 --------------------------RESPONSE-------------------------- contentLength=74 contentType=text/html header=Connection=close header=Content-Length=74 header=Content-Type=text/html header=Date=Fri, 24 Aug 2018 14:13:36 GMT status=403 ============================================================== Any clues, what are we doing wrong? Thank you in advance, br, Jernej