[keycloak-user] problem with nginx reverse proxy and ip access control

Hi there, I'm having a hard time trying to get ip restriction working behind an nginx reverse proxy on Keycloak 4.3 I have configured an ip filter as per https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction <https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction> <subsystem xmlns="urn:jboss:domain:undertow:4.0"> <buffer-cache name="default"/> <server name="default-server"> <ajp-listener name="ajp" socket-binding="ajp"/> <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" proxy-address-forwarding="true" enable-http2="true"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <http-invoker security-realm="ApplicationRealm"/> <filter-ref name="ipAccess"/> </host> </server> <filters> <expression-filter name="ipAccess" expression="path-prefix('/auth/admin') -> ip-access-control(acl={'10.10.10.10 allow'})"/> </filters> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> </subsystem> and my nginx server block server { listen 443 ssl; server_name keycloak.example.com <http://keycloak.example.com/>; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass https://keycloak-prx.example.com <https://keycloak-prx.example.com/>; } } This works as intended when I request it directly, however when I try to access via nginx reverse proxy I get a 403 regardless of the ip I set in the ip-access-control filter, whether I have the host ip, or the proxy or gateway. Undertow debug shows that the correct ip's (as far as I understand that it should be) are being passed by nginx 10:03:29,564 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth for path /auth/ 10:03:29,565 DEBUG [io.undertow.request.security] (default task-3) Authentication result was ATTEMPTED for HttpServerExchange{ GET /auth/ request {X-Real-IP=[10.10.10.20], accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], X-Amzn-Trace-Id=[Root=1-5b9b8771-70fa72df4ef4bf816434fcc5], accept-language=[en-US,en;q=0.9], accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36], Connection=[close], X-Forwarded-Proto=[https], X-Forwarded-Port=[443], X-Forwarded-For=[10.10.10.10, 10.10.10.20], cookie=[_ga=GA1.2.1510178336.1525250562; ajs_user_id=%22ca89cde3-6cac-4197-a5ad-aa966295c66d%22; ajs_anonymous_id=%2228cb540a-cb21-4200-a531-64b11ef909d8%22; ajs_group_id=%22customer%3A1%22], upgrade-insecure-requests=[1], Host=[keycloak.example.com <http://keycloak.example.com/>]} response {}} but I do not get any debug logs for matches for /auth/admin, I only get an entry 09:42:47,387 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth/admin for path /auth/admin/ and no subsequent security logs for that request Have I misconfigured something or could this be a bug? Is there any steps that I can take to debug this further? my debug settings are <subsystem xmlns="urn:jboss:domain:logging:3.0"> <console-handler name="CONSOLE"> <level name="DEBUG"/> <formatter> <named-formatter name="COLOR-PATTERN"/> </formatter> </console-handler> ... <logger category="io.undertow"> <level name="DEBUG"/> </logger> ... </subsystem> all else is INFO Would really appreciate any help at all on this thanks Derek