Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Here is the captured packets dumped by Undertow. Strangely, on the second request I don’t see X-Forwarded-* Header in the request. I don’t think it’s normal ? 1/ First when browsing to https://as.mydomain.com/auth ============================================================== 2016-10-25 12:23:59,164 INFO [io.undertow.request.dump] (default task-3) ----------------------------REQUEST--------------------------- URI=/auth/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 header=Accept-Encoding=gzip, deflate, br header=X-Forwarded-Server=webserver.mydomain.com header=Upgrade=WebSocket header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 header=Connection=Upgrade header=X-Forwarded-Proto=https header=X-Forwarded-For=10.10.0.89 header=Upgrade-Insecure-Requests=1 header=Host=as.mydomain.com header=X-Forwarded-Host=as.mydomain.com locale=[fr, fr_FR, en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=10.10.0.89:0 remoteHost=10.10.0.89 scheme=https host=as.mydomain.com serverPort=0 --------------------------RESPONSE-------------------------- contentLength=2740 contentType=text/html;charset=utf-8 header=Cache-Control=no-cache, must-revalidate, no-transform, no-store header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=X-Frame-Options=SAMEORIGIN header=Content-Security-Policy=frame-src 'self' header=Date=Tue, 25 Oct 2016 10:23:59 GMT header=Connection=keep-alive header=X-Content-Type-Options=nosniff header=Content-Type=text/html;charset=utf-8 header=Content-Length=2740 status=200 2/ Then, when clicking the Administration console link on the auth page : ============================================================== 2016-10-25 12:24:11,069 INFO [io.undertow.request.dump] (default task-4) ----------------------------REQUEST--------------------------- URI=/auth/admin/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 header=Connection=keep-alive header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 header=Accept-Encoding=gzip, deflate, br header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 header=Referer=https://as.mydomain.com/auth/ header=Upgrade-Insecure-Requests=1 header=Host=as.bridgestone-bae.corp locale=[fr, fr_FR, en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=/10.10.2.134:47440 remoteHost=webserver.mydomain.com scheme=http host=as.mydomain.com serverPort=18080 --------------------------RESPONSE-------------------------- contentLength=0 contentType=null header=Connection=keep-alive header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Location=http://as.mydomain.com/auth/admin/ master/console/ header=Content-Length=0 header=Date=Tue, 25 Oct 2016 10:24:11 GMT status=302 Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 *De :* Stian Thorgersen [mailto:sthorger@redhat.com] *Envoyé :* mardi 25 octobre 2016 11:59 *À :* Vincent Sourin <sourin-v(a)bridgestone-bae.com&gt; *Cc :* keycloak-user(a)lists.jboss.org *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Strange. I can't see why that should ever redirect to non-https. Can you capture the requests that are being sent after you click on the link to see where/when the redirect to non-https is coming into play? On 25 October 2016 at 11:24, Vincent Sourin <sourin-v(a)bridgestone-bae.com&gt; wrote: No, it is the link <a href="admin/">Administration Console</a> I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/ Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 *De :* Stian Thorgersen [mailto:sthorger@redhat.com] *Envoyé :* mardi 25 octobre 2016 10:38 *À :* Vincent Sourin <sourin-v(a)bridgestone-bae.com&gt; *Cc :* keycloak-user(a)lists.jboss.org *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster What specific link on the "welcome page" are you referring to? Is it the link in the text "You need local access to create the initial admin user. Open <a href="http://localhost:8080/auth">http://localhost:8080/auth</a> or use the add-user-keycloak script."? On 25 October 2016 at 10:05, Vincent Sourin <sourin-v(a)bridgestone-bae.com&gt; wrote: All the URLs at the given address contain https and the reverse proxy hostname. Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 *De :* Stian Thorgersen [mailto:sthorger@redhat.com] *Envoyé :* mardi 25 octobre 2016 09:49 *À :* Vincent Sourin <sourin-v(a)bridgestone-bae.com&gt; *Cc :* keycloak-user(a)lists.jboss.org *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Try: https://<hostname>/auth/realms/master/.well-known/openid-configuration And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details. On 24 October 2016 at 21:38, Vincent Sourin <sourin-v(a)bridgestone-bae.com&gt; wrote: Yes I think X-Forwarded-* Headers and preservation of original host are set. Actually, I’m not really a « network » guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website. I « tweak » the configuration to try to achieve SSL Termination and Websocket like this : ------------------------ Apache Configuration ---------------------------- ServerRoot "/opt/jboss/httpd/httpd" LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so […] LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/ modules/mod_rewrite.so <IfModule unixd_module> User daemon Group daemon </IfModule> <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" <Directory "/opt/jboss/httpd/htdocs/htdocs"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule> <Files ".ht*"> Require all denied </Files> ErrorLog "logs/error_log" LogLevel warn <IfModule log_config_module> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog "logs/access.log" combined env=!dontlog </IfModule> <IfModule alias_module> ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" </IfModule> <IfModule cgid_module> </IfModule> <Directory "/opt/jboss/httpd/htdocs/cgi-bin"> AllowOverride None Options None Require all granted </Directory> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz </IfModule> <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> MemManagerFile "/dev/shm/httpd/cache/mod_cluster" SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/ logs/ssl_gcache_data(512000)" EnableWsTunnel Listen XXXXXXXX:443 <VirtualHost *:443> ServerName XXXXXXXXXXXXXXX CreateBalancers 0 <Location /mcm> AllowDisplay On SetHandler mod_cluster-manager Require ip 10.10 </Location> <Location /check.txt> ProxyPass ! </Location> SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCertificateFile /opt/mod_cluster-certs/CERT.pem SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem SSLCACertificateFile /opt/mod_cluster-certs/CA.pem SSLVerifyClient none ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" </VirtualHost> <IfModule manager_module> Listen XXXXXXXXX:6666 <VirtualHost *:6666> ServerName XXXXXXXXXXXXXXXXX <Location /> Require ip 10.10 </Location> AllowDisplay On KeepAliveTimeout 300 MaxKeepAliveRequests 0 ServerAdvertise on AdvertiseFrequency 5 AdvertiseGroup 224.0.1.205:24364 EnableMCPMReceive ManagerBalancerName mycluster ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" </VirtualHost> </IfModule> ------------------------ Apache Configuration ---------------------------- *De :* Stian Thorgersen [mailto:sthorger@redhat.com] *Envoyé :* lundi 24 octobre 2016 08:08 *À :* Vincent Sourin <sourin-v(a)bridgestone-bae.com&gt; *Cc :* keycloak-user(a)lists.jboss.org *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header? On 22 October 2016 at 13:19, Vincent Sourin <sourin-v(a)bridgestone-bae.com&gt; wrote: Hello, I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster). First of all, here is my test environment : https://postimg.org/image/ z7xrb08ev/ I think it's worth mention that : * Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment) * mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak. Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed. If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither. Here a a snippet of my keycloak configuration : <subsystem xmlns="urn:jboss:domain:undertow:3.0"> <server name="default-server"> <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/> <https-listener name="https" enabled-protocols="TLSv1.2" security-realm="UndertowRealm" socket-binding="https"/> [...] </subsystem> [...] <subsystem xmlns="urn:jboss:domain:modcluster:2.0"> <mod-cluster-config advertise-socket="modcluster" connector="default"> <dynamic-load-provider> <load-metric type="cpu"/> </dynamic-load-provider> </mod-cluster-config> </subsystem> [...] <socket-binding-groups> <socket-binding-group name="ha-sockets" default-interface="public"> [...] <socket-binding name="proxy-https" port="443"/> [...] </socket-binding-group> </socket-binding-groups> Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ? Thanks for your help. Vincent. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user