Dear,
I get an issue to get the wanted behavior when retrieving the client public
IP.
This is the situation :
(all IP's have been anonymized)
- *infrastructure level*:
----------- Reverse Proxy NGINX ----------------------------------- KeyCloak
RP is listening on ports 80 & 443 (80 is redirected to 443)
There is a public certificate signed by some external CA
Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
Keycloak is set as standalone server on a Wildfly last version
- *Nginx config*
*server { listen 443; server_name ************;
fastcgi_param HTTPS on; location / { add_header
X-Cache-Status $upstream_cache_status; add_header X-Real-IP
$remote_addr; add_header X-Forwarded-For $remote_addr;
add_header X-Forwarded-Proto $scheme;
more_set_headers 'Server: ******'; more_clear_headers
'X-Powered-By'; charset UTF-8; proxy_cache
******_cache; proxy_pass
https://1.1.1.1:8443/
<
https://1.1.1.1:8443/>; }*
* ssl on; ssl_certificate /etc/ssl/private/**********.crt;
ssl_certificate_key /etc/ssl/private/*************.key;
ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/***********.pem;
ssl_protocols TLSv1.1 TLSv1.2; ssl_stapling on;
ssl_session_cache builtin:1000 shared:SSL:10m; add_header
Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options "DENY"; ssl_ciphers
'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
- *Keycloak config* :
* <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
* <buffer-cache name="default"/>*
* <server name="default-server">*
* <http-listener
name="default" proxy-address-forwarding="true"
socket-binding="http"/>*
* <https-listener name="https"
security-realm="**********"
socket-binding="https"/>*
* <host name="default-host" alias="localhost">*
* <location name="/"
handler="welcome-content"/>*
* </host>*
* </server>*
* <servlet-container name="default">*
* <jsp-config/>*
* <websockets/>*
* </servlet-container>*
* <handlers>*
* <file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>*
* </handlers>*
* </subsystem>*
The situation is that everything is working fine and smooth EXCEPT ... the
fact that under sessions (and moreover for all user activities), the user
IP I see is the one of the reverse proxy !!
As I put in red in the KC config, this is what should do the trick to use
the X-Forwarded-For header value to set the client's IP.
15:07:55,104 WARN [org.keycloak.events] (default task-19)
type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
ipAddress=2.2.2.2, (...)
When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
the SSL connection and the one to KC server is made in HTTP), I got
obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
transport and also a HTTP connection towards the external social identity
providers like Google, FB, etc. ... BUT I got at least the real IP as you
might see hereunder :
15:09:24,068 WARN [org.keycloak.events] (default task-29)
type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
ipAddress=191.21.133.234, (...)
So the situation is that I will only get the "real" IP of the client only
if it passes through the HTTP listener of KC (that has the parameter
"proxy-address-forwarding") which is not what I want as I want to reach the
HTTPS listener.
I obviously also tried to add the same parameter (*proxy-address-forwarding
= "true"*) in the HTTPS listener configuration but then, standalone.sh
shows an error and refuses to start :
*14:24:30,621 INFO [org.jboss.modules] (main) JBoss Modules version
1.5.1.Final*
*14:24:30,821 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
*14:24:30,888 INFO [org.jboss.as <
http://org.jboss.as/>] (MSC service
thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
starting*
*14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0055: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085:
Failed to parse configuration*
* at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
* at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
* at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
* at java.lang.Thread.run(Thread.java:745)*
*Caused by: javax.xml.stream.XMLStreamException: ParseError at
[row,col]:[380,17]*
*Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
enabled, resolve-peer-address, security-realm, verify-client,
enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
ssl-session-cache-size, ssl-session-timeout, max-header-size,
max-post-size, buffer-pipelined-data, max-parameters, max-headers,
max-cookies, allow-encoded-slash, decode-url, url-charset,
always-set-keep-alive, max-buffered-request-size,
record-request-start-time, allow-equals-in-cookie-value,
no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
max-connections, secure'*
* at
org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
*requirements* :
- Entire solution has to run with SSL (HTTPS) from end to end
Did someone already faced that situation or does have any clue about this ?
Thank you for reading this post.
Regards,
/Olivier
On 10 January 2017 at 11:52, Olivier Bruylandt <olivier.bruylandt(a)gmail.com>
wrote:
Dear,
I get an issue to get the wanted behavior when retrieving the client
public IP.
This is the situation :
(all IP's have been anonymized)
- *infrastructure level*:
----------- Reverse Proxy NGINX -----------------------------------
KeyCloak
RP is listening on ports 80 & 443 (80 is redirected to 443)
There is a public certificate signed by some external CA
Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
Keycloak is set as standalone server on a Wildfly last version
- *Nginx config*
*server { listen 443; server_name ************;
fastcgi_param HTTPS on; location / { add_header
X-Cache-Status $upstream_cache_status; add_header X-Real-IP
$remote_addr; add_header X-Forwarded-For $remote_addr;
add_header X-Forwarded-Proto $scheme;
more_set_headers 'Server: ******'; more_clear_headers
'X-Powered-By'; charset UTF-8; proxy_cache
******_cache; proxy_pass
https://1.1.1.1:8443/
<
https://1.1.1.1:8443/>; }*
* ssl on; ssl_certificate /etc/ssl/private/**********.crt;
ssl_certificate_key /etc/ssl/private/*************.key;
ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/***********.pem;
ssl_protocols TLSv1.1 TLSv1.2; ssl_stapling on;
ssl_session_cache builtin:1000 shared:SSL:10m; add_header
Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options "DENY"; ssl_ciphers
'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
- *Keycloak config* :
* <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
* <buffer-cache name="default"/>*
* <server name="default-server">*
* <http-listener
name="default" proxy-address-forwarding="true"
socket-binding="http"/>*
* <https-listener name="https"
security-realm="**********"
socket-binding="https"/>*
* <host name="default-host" alias="localhost">*
* <location name="/"
handler="welcome-content"/>*
* </host>*
* </server>*
* <servlet-container name="default">*
* <jsp-config/>*
* <websockets/>*
* </servlet-container>*
* <handlers>*
* <file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>*
* </handlers>*
* </subsystem>*
The situation is that everything is working fine and smooth EXCEPT ... the
fact that under sessions (and moreover for all user activities), the user
IP I see is the one of the reverse proxy !!
As I put in red in the KC config, this is what should do the trick to use
the X-Forwarded-For header value to set the client's IP.
15:07:55,104 WARN [org.keycloak.events] (default task-19)
type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
ipAddress=2.2.2.2, (...)
When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
the SSL connection and the one to KC server is made in HTTP), I got
obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
transport and also a HTTP connection towards the external social identity
providers like Google, FB, etc. ... BUT I got at least the real IP as you
might see hereunder :
15:09:24,068 WARN [org.keycloak.events] (default task-29)
type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
ipAddress=191.21.133.234, (...)
So the situation is that I will only get the "real" IP of the client only
if it passes through the HTTP listener of KC (that has the parameter
"proxy-address-forwarding") which is not what I want as I want to reach the
HTTPS listener.
I obviously also tried to add the same parameter (*proxy-address-forwarding
= "true"*) in the HTTPS listener configuration but then, standalone.sh
shows an error and refuses to start :
*14:24:30,621 INFO [org.jboss.modules] (main) JBoss Modules version
1.5.1.Final*
*14:24:30,821 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
*14:24:30,888 INFO [org.jboss.as <
http://org.jboss.as/>] (MSC service
thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
starting*
*14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0055: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085:
Failed to parse configuration*
* at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
* at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
* at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
* at java.lang.Thread.run(Thread.java:745)*
*Caused by: javax.xml.stream.XMLStreamException: ParseError at
[row,col]:[380,17]*
*Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
enabled, resolve-peer-address, security-realm, verify-client,
enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
ssl-session-cache-size, ssl-session-timeout, max-header-size,
max-post-size, buffer-pipelined-data, max-parameters, max-headers,
max-cookies, allow-encoded-slash, decode-url, url-charset,
always-set-keep-alive, max-buffered-request-size,
record-request-start-time, allow-equals-in-cookie-value,
no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
max-connections, secure'*
* at
org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
*requirements* :
- Entire solution has to run with SSL (HTTPS) from end to end
Did someone already faced that situation or does have any clue about this ?
Thank you for reading this post.
Regards,
/Olivier