4:24 a.m.
No, it is the link <a
href="admin/<view-source:https://as.bridgestone-bae.corp/auth/admin/>">Administration
Console</a>
I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/
Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09
GSM : +32 492 97 44 99
De : Stian Thorgersen [mailto:sthorger@redhat.com]
Envoyé : mardi 25 octobre 2016 10:38
À : Vincent Sourin <sourin-v(a)bridgestone-bae.com>
Cc : keycloak-user(a)lists.jboss.org
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
What specific link on the "welcome page" are you referring to? Is it the link in
the text "You need local access to create the initial admin user. Open <a
href="http://localhost:8080/auth">http://localhost:8080/auth</a> or use
the add-user-keycloak script."?
On 25 October 2016 at 10:05, Vincent Sourin
<sourin-v@bridgestone-bae.com<mailto:sourin-v@bridgestone-bae.com>> wrote:
All the URLs at the given address contain https and the reverse proxy hostname.
Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53<tel:%2B32%2065%2061%2011%2053> - Fax: +32 65 61 11
09<tel:%2B32%2065%2061%2011%2009>
GSM : +32 492 97 44 99<tel:%2B32%20492%2097%2044%2099>
De : Stian Thorgersen [mailto:sthorger@redhat.com<mailto:sthorger@redhat.com>]
Envoyé : mardi 25 octobre 2016 09:49
À : Vincent Sourin
<sourin-v@bridgestone-bae.com<mailto:sourin-v@bridgestone-bae.com>>
Cc : keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Try:
https://<hostname>/auth/realms/master/.well-known/openid-configuration<https://%3chostname%3e/auth/realms/master/.well-known/openid-configuration>
And check the URLs in the page. They should contain https and correct hostname (for your
reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or
it's not configured correctly in Keycloak server. Check the installation guide for
more details.
On 24 October 2016 at 21:38, Vincent Sourin
<sourin-v@bridgestone-bae.com<mailto:sourin-v@bridgestone-bae.com>> wrote:
Yes I think X-Forwarded-* Headers and preservation of original host are set.
Actually, I’m not really a « network » guy. So for testing purpose, I use the bundle
(httpd + ssl ) provided on mod_cluster website.
I « tweak » the configuration to try to achieve SSL Termination and Websocket like this
:
------------------------ Apache Configuration ----------------------------
ServerRoot "/opt/jboss/httpd/httpd"
LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so
[…]
LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
<Directory "/opt/jboss/httpd/htdocs/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %I %O" combinedio
</IfModule>
SetEnvIf Request_URI "^/check\.txt$" dontlog
CustomLog "logs/access.log" combined env=!dontlog
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/opt/jboss/httpd/htdocs/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)"
EnableWsTunnel
Listen XXXXXXXX:443
<VirtualHost *:443>
ServerName XXXXXXXXXXXXXXX
CreateBalancers 0
<Location /mcm>
AllowDisplay On
SetHandler mod_cluster-manager
Require ip 10.10
</Location>
<Location /check.txt>
ProxyPass !
</Location>
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCertificateFile /opt/mod_cluster-certs/CERT.pem
SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem
SSLCACertificateFile /opt/mod_cluster-certs/CA.pem
SSLVerifyClient none
ProxyPreserveHost On
RequestHeader Set X-Forwarded-Proto "https"
</VirtualHost>
<IfModule manager_module>
Listen XXXXXXXXX:6666
<VirtualHost *:6666>
ServerName XXXXXXXXXXXXXXXXX
<Location />
Require ip 10.10
</Location>
AllowDisplay On
KeepAliveTimeout 300
MaxKeepAliveRequests 0
ServerAdvertise on
AdvertiseFrequency 5
AdvertiseGroup 224.0.1.205:24364<http://224.0.1.205:24364>
EnableMCPMReceive
ManagerBalancerName mycluster
ProxyPreserveHost On
RequestHeader Set X-Forwarded-Proto "https"
</VirtualHost>
</IfModule>
------------------------ Apache Configuration ----------------------------
De : Stian Thorgersen [mailto:sthorger@redhat.com<mailto:sthorger@redhat.com>]
Envoyé : lundi 24 octobre 2016 08:08
À : Vincent Sourin
<sourin-v@bridgestone-bae.com<mailto:sourin-v@bridgestone-bae.com>>
Cc : keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the
preserving the original Host header?
On 22 October 2016 at 13:19, Vincent Sourin
<sourin-v@bridgestone-bae.com<mailto:sourin-v@bridgestone-bae.com>> wrote:
Hello,
I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an
Apache Reverse Proxy (with Mod_cluster).
First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/
I think it's worth mention that :
* Wildfly & keycloak are installed on the same servers but each in separate
instances (not using overlay deployment)
* mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel
activated because I use Websocket with wildfly
So, in this configuration, applications deployed on wildfly instances work well but I got
some problem with Keycloak.
Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I
click on the link < Aministration Console > (resolved normally to
https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http
connection and so the request failed.
If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some
insecured items on the page > and I can't reach the console neither.
Here a a snippet of my keycloak configuration :
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<server name="default-server">
<http-listener name="default"
proxy-address-forwarding="true" socket-binding="http"
redirect-socket="proxy-https"/>
<https-listener name="https"
enabled-protocols="TLSv1.2" security-realm="UndertowRealm"
socket-binding="https"/>
[...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster"
connector="default">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
<socket-binding-group name="ha-sockets"
default-interface="public">
[...]
<socket-binding name="proxy-https" port="443"/>
[...]
</socket-binding-group>
</socket-binding-groups>
Can someone tell me what I'm doing wrong or give me the right direction to further
investigate this behavior ?
Thanks for your help.
Vincent.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user