I pinned this down: it's only an issue when running Keycloak behind an
nginx proxy.
My current stripped down nginx config:
/etc/nginx/nginx.conf:
include /usr/share/nginx/modules/*.conf;
user nginx;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 30000;
events {
worker_connections 4096;
multi_accept on;
}
http {
log_format main '$http_host $remote_addr
[$time_local] '
'"$request" $status
$body_bytes_sent '
'"$http_referer"
"$http_user_agent" '
'$request_time
$upstream_response_time';
access_log /var/log/nginx/access.log main;
server_tokens off;
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
}
/etc/nginx/conf.d/keycloak.conf
server {
listen 443 ssl;
server_name REDACTED;
ssl_certificate /etc/pki/tls/certs/REDACTED.cer;
ssl_certificate_key /etc/pki/tls/private/REDACTED.key;
location / {
proxy_http_version 1.1;
proxy_pass
;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
}
}
Is there a recommended nginx configuration for Keycloak?
On 14 July 2017 at 11:59, Stian Thorgersen <sthorger(a)redhat.com> wrote:
I've tried the same steps and we have tests that do the same
steps. So
there's something more to it. You can create a JIRA sure, but we need to be
able to reproduce it.
Ideal is that you can reproduce it with a fresh install of Keycloak
directly on your box with a fresh DB as well.
On 14 July 2017 at 10:42, Tiemen Ruiten <t.ruiten(a)rdmedia.com> wrote:
> Stian, does this help? Should I file a bug report?
>
> If anyone could give me some pointers for a workaround, that would also
> be much appreciated.
>
>
> On 12 July 2017 at 13:09, Tiemen Ruiten <t.ruiten(a)rdmedia.com> wrote:
>
>> OK, so I rolled a new Keycloak instance and it gives me the exact same
>> error. Reproducing is trivial:
>>
>> - login
>> - click Realm Settings
>> - click Email tab
>> - Fill in Host and From fields
>> - Hit 'Test connection'
>>
>> I can share the Ansible playbook I used to setup the VM privately if
>> you'd like.
>>
>> On 12 July 2017 at 11:43, Tiemen Ruiten <t.ruiten(a)rdmedia.com> wrote:
>>
>>> Hm, it's an almost vanilla Keycloak setup (however upgraded from 3.1.0
>>> to 3.2.0), in fact the only changes in standalone.xml are related to the
>>> keystore and database. I'll see if I can setup another instance and
>>> reproduce there.
>>>
>>> On 11 July 2017 at 07:35, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>>>
>>>> Tried to reproduce this, but can't and it's working just fine
here. Do
>>>> you have steps to reproduce?
>>>>
>>>> On 10 July 2017 at 16:04, Tiemen Ruiten <t.ruiten(a)rdmedia.com>
wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I get the following error when hitting the 'Test connection'
button
>>>>> on the
>>>>> email tab in Realm settings:
>>>>>
>>>>> 2017-07-10 15:55:27,316 INFO [org.jboss.as] (Controller Boot
Thread)
>>>>> WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)*
>>>>> started in
>>>>>
>>>>> 21731ms - Started 449 of 824 services (561 services are lazy,
passive
>>>>> or
>>>>> on-demand)
>>>>> 2017-07-10 15:56:48,997 WARN [org.jboss.resteasy.resteasy_j
>>>>> axrs.i18n]
>>>>> (default task-11) RESTEASY002130: Failed to parse request.:
>>>>> javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to
>>>>> create URI:
>>>>>
https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{
>>>>> "port":null,"host":"mail.rdmedia.com
>>>>>
","ssl":"","starttls":"","auth":"","from":"account@rdmedia.com"}
>>>>> at
>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu
>>>>> es(ResteasyUriBuilder.java:749)
>>>>> at
>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(Resteas
>>>>> yUriBuilder.java:721)
>>>>> at
>>>>> org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUr
>>>>> iInfo.java:58)
>>>>> at
org.jboss.resteasy.spi.ResteasyUriInfo.<init>(ResteasyUriInf
>>>>> o.java:53)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.servlet.ServletUtil.extrac
>>>>> tUriInfo(ServletUtil.java:41)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>>>>> spatcher.service(ServletContainerDispatcher.java:200)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>>>> her.service(HttpServletDispatcher.java:56)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>>>> her.service(HttpServletDispatcher.java:51)
>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>> at
>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>>>>> rvletHandler.java:85)
>>>>> at
>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>>>> oFilter(FilterHandler.java:129)
>>>>> at
>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.d
>>>>> oFilter(KeycloakSessionServletFilter.java:90)
>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>>>>> r.java:60)
>>>>> at
>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>>>> oFilter(FilterHandler.java:131)
>>>>> at
>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>>>>> terHandler.java:84)
>>>>> at
>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>> at
>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>>>>> eRequest(ServletDispatchingHandler.java:36)
>>>>> at
>>>>> org.wildfly.extension.undertow.security.SecurityContextAssoc
>>>>> iationHandler.handleRequest(SecurityContextAssociationHandle
>>>>> r.java:78)
>>>>> at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at
>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociat
>>>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>> at
>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>> at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at
>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>> at
>>>>> io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>> aintHandler.java:64)
>>>>> at
>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>> at
>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>> at
>>>>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>> at
>>>>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>> Handler.java:43)
>>>>> at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at
>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>> at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>> stRequest(ServletInitialHandler.java:284)
>>>>> at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>> equest(ServletInitialHandler.java:263)
>>>>> at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>> equest(ServletInitialHandler.java:174)
>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>> java:202)
>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>> ge.java:793)
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>> Executor.java:1142)
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>> lExecutor.java:617)
>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: java.net.URISyntaxException: Illegal character in path at
>>>>> index
>>>>> 67:
https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConn
>>>>> ection/{
>>>>> "port":null,"host":"mail.rdmedia.com
>>>>>
","ssl":"","starttls":"","auth":"","from":"account@rdmedia.com"}
>>>>> at java.net.URI$Parser.fail(URI.java:2848)
>>>>> at java.net.URI$Parser.checkChars(URI.java:3021)
>>>>> at java.net.URI$Parser.parseHierarchical(URI.java:3105)
>>>>> at java.net.URI$Parser.parse(URI.java:3053)
>>>>> at java.net.URI.<init>(URI.java:588)
>>>>> at
>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu
>>>>> es(ResteasyUriBuilder.java:744)
>>>>> ... 40 more
>>>>>
>>>>> The 67th character is the slash after testSMTPConnection. Is this a
>>>>> bug
>>>>> and/or is there a workaround/fix?
>>>>>
>>>>> --
>>>>> Tiemen Ruiten
>>>>> Systems Engineer
>>>>> R&D Media
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Tiemen Ruiten
>>> Systems Engineer
>>> R&D Media
>>>
>>
>>
>>
>> --
>> Tiemen Ruiten
>> Systems Engineer
>> R&D Media
>>
>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>