To close this issue off, we have fixed (worked around?) this. Having
established that trailing slashes in the config files cause different
symptoms, we found that the URL without a trailing slash (ie
host.domain.tld/sitename) downloaded the main document but relative URLs
were not created correctly and missed out the "sitename". Manually
adding the trailing slash or setting a base tag in the site code worked
around this but ultimately we fixed this using a rewrite rule in nginx
(rewrite ^/sitename$
https://host.domain/tld/sitename/;).
This seemed to be just a symptom of having chained proxies and is
nothing specific of the keycloak security proxy, or NGINX.
thanks to those that offered help.
kind regards
Guy
On 2016-06-22 12:22, Guy Bowdler wrote:
hi all,
We have the following set up with two DMZ boxes, one running a single
KeyCloak security proxy and sending requests to a local NGINX proxy
which farms out requests to internal applications. This should allow
us
to maintain a single namespace for all applications (<hostname>/appname
redirects to appname.local) and gives authenticated visibility of who's
accessing what at the front end proxy.
DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080] ---> TRUST: [Various
applications]
---> TRUST: [Various
applications]
Keycloak runs on its own server and is published via an NGINX proxy in
the DMZ
DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
and then after logging in, we get an "invalid Redirect URI" error from
Keycloak. We've found that for some reason, the redirect URL from
KeyCloak is appending the :8080 port value from the KeyCloak Security
proxy (verified as if we change this port number, the value changes in
the redirect URL). It's like KeyCloak is redirecting back to the
NGINX:8080 proxy direct rather than back to the KeyCloak security
proxy,
which is what we were expecting. This is possibly by design, or
possibly a bug, or possibly a side effect of our configuration.
Has anyone tried using the KeyCloak security proxy in this manner?
It's
clear that the intended use is as a single instance adapter for a
single
local application, whereas our application happens to be an nginx proxy
redirecting to different applications using location directives.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user