Re: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy

Marko, Thanks for your feedback! We have successfully pass that problem and are able to login to KEYCLOAK behind NGINX using HTTPS Proxy. Our challenge now is when our applications attempt to access we get the following error: Request URL: https://sso2.company.com/auth/realms/master/tokens/access/codes Request Method: POST Status Code: 400 Bad Request Remote Address: 99.99.99.99:443 Response Headersview source Connection: keep-alive Content-Type: application/json Date: Thu, 14 Jan 2016 14:35:52 GMT Server: nginx/1.4.6 (Ubuntu) Transfer-Encoding: chunked X-Powered-By: Undertow/1 Request Headersview source Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Authorization: Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ Connection: keep-alive Content-Length: 172 Content-type: application/x-www-form-urlencoded Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k DNT: 1 Host: sso2.company.com Origin: http://app.local.company.com Referer: http://app.local.company.com/App/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 Form Dataview sourceview URL encoded code: Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2 redirect_uri: http://app.local.company.com/App/ Please do note that this same application is able KEYCLOAK using basically the same configuration without NGINX in the MIX. Have any thoughts was to what we should look to configure differently with NGIX in the mix? On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj <mstrukel(a)redhat.com&gt; wrote: > > The error 'org.apache.http.conn.HttpHostConnectException: Connection to > https://sso2.domain.com refused' means that either there is a server side > problem - your Nginx isn't started and listening on port 443, a firewall > preventing incoming connections - or there is a client side problem - a DNS > issue improperly resolving sso2.domain.com into IP on the host where Tomcat > is running. > > At this point no SSL handshaking was attempted yet. > > If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com 443' > from the server running your Tomcat you'll see the same issue. Once that > starts to work, only then will any SSL / proxying related configuration > issues start to manifest themselves. > > On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace <cjwallac(a)gmail.com&gt; > wrote: >> >> Community, I have spent a decent amount of time attempting to get >> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It >> does work without the proxy, but I need the proxy to handle certificates. I >> think I am pretty close to having it working, but somethings seems to be >> missing... I have done the following. I appreciate any insight you may have >> as I think I have exhausted other resources. >> >> 1. Configure a server in NGINX >> >> server { >> >> listen 443; >> >> >> ssl on; >> >> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; >> >> ssl_certificate_key /etc/ssl/certs/*.domain.key; >> >> >> server_name sso2. domain.com; >> >> access_log /var/log/nginx/nginx.sso.access.log; >> >> error_log /var/log/nginx/nginx.sso.error.log; >> >> location / { >> >> proxy_set_header Host $host; >> >> proxy_set_header X-Real-IP $remote_addr; >> >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> >> proxy_set_header X-Forwarded-Proto $scheme; >> >> proxy_set_header X-Forwarded-Port 443; >> >> proxy_pass http://internalip:8080; >> >> } >> >> } >> >> 2. Enable SSL on a Reverse Proxy >> >> First add proxy-address-forwarding and redirect-socket to the >> http-listener element: >> >> <subsystem xmlns="urn:jboss:domain:undertow:1.1"> >> ... >> <http-listener name="default" socket-binding="http" >> proxy-address-forwarding="true" redirect-socket="proxy-https"/> >> ... >> </subsystem> >> >> Then add a new socket-binding element to the socket-binding-group >> element: >> >> <socket-binding-group name="standard-sockets" default-interface="public" >> port-offset="${jboss.socket.binding.port-offset:0}"> >> ... >> <socket-binding name="proxy-https" port="443"/> >> ... >> </socket-binding-group> >> >> >> RECIVE THE FOLLOWING ERROR in TOMCAT: >> >> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - >> failed to turn code into token >> >> org.apache.http.conn.HttpHostConnectException: Connection to >> https://sso2.domain.com refused >> >> at >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) >> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) >> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) >> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) >> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) >> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) >> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) >> [lib/:na] >> >> at >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) >> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >> [lib/:na] >> >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >> [lib/:na] >> >> at >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >> [lib/:na] >> >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >> [lib/:na] >> >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >> [lib/:na] >> >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) >> [tomcat-coyote.jar:8.0.18] >> >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) >> [tomcat-coyote.jar:8.0.18] >> >> at >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) >> [tomcat-coyote.jar:8.0.18] >> >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >> [tomcat-coyote.jar:8.0.18] >> >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >> [tomcat-coyote.jar:8.0.18] >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [na:1.8.0_25] >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [na:1.8.0_25] >> >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> [tomcat-util.jar:8.0.18] >> >> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] >> >> Caused by: java.net.ConnectException: Connection timed out >> >> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25] >> >> at >> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) >> ~[na:1.8.0_25] >> >> at >> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) >> ~[na:1.8.0_25] >> >> at >> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >> ~[na:1.8.0_25] >> >> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >> ~[na:1.8.0_25] >> >> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] >> >> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) >> ~[na:1.8.0_25] >> >> at >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> ... 29 common frames omitted >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >