6:48 a.m.
First of all, I would like to thank your team for doing such a nice job on Keycloak. It
is a very solid project.
We are getting ready to deploy Keycloak to production and our IT director is nervous about
having the Master realm accessible from the internet. Is there anyway to configure
Keycloak to disallow access to the Master realm from the open internet? If not, what
methods do you suggest employing that would mitigate the risk?
Kenyatta Clark
Principal Engineer, Systems Development
MBO Partners
t: 703.793.6314
w: www.mbopartners.com<http://www.mbopartners.com/>
[cid:42F12EDC-D9A1-4A54-90DA-E2D34ED2DD68]
Notice: This email and any files transmitted with it are confidential. They are intended
solely for the use of the individual addressed. If you have received this email in error
please notify postmaster@mbopartners.com<mailto:postmaster@mbopartners.com>and
permanently delete the e-mail and files.
6:54 a.m.
I have put some rules on my reverse proxy (nginx), at least to stop
access to the admin console:
location / {
allow 1.2.3.4;
deny all;
proxy_pass http://keycloak:8080$request_uri;
}
location /auth/realms
allow all;
proxy_pass http://keycloak:8080$request_uri;
}
location /auth/resources
allow all;
proxy_pass http://keycloak:8080$request_uri;
}
Il 11/09/2015 08:48, Kenyatta Clark ha scritto:
First of all, I would like to thank your team for doing such a nice
job
on Keycloak. It is a very solid project.
We are getting ready to deploy Keycloak to production and our IT
director is nervous about having the Master realm accessible from the
internet. Is there anyway to configure Keycloak to disallow access to
the Master realm from the open internet? If not, what methods do you
suggest employing that would mitigate the risk?
*Kenyatta Clark*
*Principal Engineer, Systems Development*
MBO Partners
*t:* 703.793.6314
*w:*www.mbopartners.com <http://www.mbopartners.com/>
Notice: This email and any files transmitted with it are confidential.
They are intended solely for the use of the individual addressed. If
you have received this email in error please notify
postmaster(a)mbopartners.com <mailto:postmaster@mbopartners.com>and
permanently delete the e-mail and files.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Felipe Braun Azambuja
DBA
Tecnologia da Informação e Comunicação
(48) 3281 9577
felipe.braun(a)intelbras.com.br
Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a
privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada
ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no
exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer
responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano,
por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida
apague-a do seu computador.
The information contained in this e-mail and its attachments are protected by law,
subjected to privilege and/or confidentiality and cannot be retransmitted, filed,
disclosed or copied without authorization from the sender. The sender uses the electronic
mail in the exercise of his/her work or by virtue thereof, and the institution accepts no
liability from its undue use. If you have received this message by mistake, please notify
us immediately by returning the e-mail and deleting this message from your system.
10 a.m.
Kenyatta, does that work for you? URL patterns are:
/auth/realms/{realm}/* this is all protocol entry points. Through your
proxy, control which realms can receive SSO requests by filtering out
things by realm name aka {realm}
/auth/admin/* All admin consoles and admin REST endpoints
On 9/11/2015 7:54 AM, Felipe Braun Azambuja wrote:
I have put some rules on my reverse proxy (nginx), at least to stop
access to the admin console:
location / {
allow 1.2.3.4;
deny all;
proxy_pass http://keycloak:8080$request_uri;
}
location /auth/realms
allow all;
proxy_pass http://keycloak:8080$request_uri;
}
location /auth/resources
allow all;
proxy_pass http://keycloak:8080$request_uri;
}
Il 11/09/2015 08:48, Kenyatta Clark ha scritto:
> First of all, I would like to thank your team for doing such a nice job
> on Keycloak. It is a very solid project.
>
> We are getting ready to deploy Keycloak to production and our IT
> director is nervous about having the Master realm accessible from the
> internet. Is there anyway to configure Keycloak to disallow access to
> the Master realm from the open internet? If not, what methods do you
> suggest employing that would mitigate the risk?
>
>
> *Kenyatta Clark*
>
> *Principal Engineer, Systems Development*
>
> MBO Partners
>
> *t:* 703.793.6314
>
> *w:*www.mbopartners.com <http://www.mbopartners.com/>
>
>
> Notice: This email and any files transmitted with it are confidential.
> They are intended solely for the use of the individual addressed. If
> you have received this email in error please notify
> postmaster(a)mbopartners.com <mailto:postmaster@mbopartners.com>and
> permanently delete the e-mail and files.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Felipe Braun Azambuja
DBA
Tecnologia da Informação e Comunicação
(48) 3281 9577
felipe.braun(a)intelbras.com.br
Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a
privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada
ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no
exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer
responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano,
por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida
apague-a do seu computador.
The information contained in this e-mail and its attachments are protected by law,
subjected to privilege and/or confidentiality and cannot be retransmitted, filed,
disclosed or copied without authorization from the sender. The sender uses the electronic
mail in the exercise of his/her work or by virtue thereof, and the institution accepts no
liability from its undue use. If you have received this message by mistake, please notify
us immediately by returning the e-mail and deleting this message from your system.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:03 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Friday, 11 September, 2015 5:00:24 PM
Subject: Re: [keycloak-user] Only Allowing Access To Master Realm From Internal Network
Kenyatta, does that work for you? URL patterns are:
/auth/realms/{realm}/* this is all protocol entry points. Through your
proxy, control which realms can receive SSO requests by filtering out
things by realm name aka {realm}
/auth/admin/* All admin consoles and admin REST endpoints
Do we not also have the realm specific admin console entry points?
On 9/11/2015 7:54 AM, Felipe Braun Azambuja wrote:
> I have put some rules on my reverse proxy (nginx), at least to stop
> access to the admin console:
>
> location / {
> allow 1.2.3.4;
> deny all;
>
> proxy_pass http://keycloak:8080$request_uri;
> }
>
> location /auth/realms
> allow all;
> proxy_pass http://keycloak:8080$request_uri;
> }
>
> location /auth/resources
> allow all;
> proxy_pass http://keycloak:8080$request_uri;
> }
>
>
> Il 11/09/2015 08:48, Kenyatta Clark ha scritto:
>> First of all, I would like to thank your team for doing such a nice job
>> on Keycloak. It is a very solid project.
>>
>> We are getting ready to deploy Keycloak to production and our IT
>> director is nervous about having the Master realm accessible from the
>> internet. Is there anyway to configure Keycloak to disallow access to
>> the Master realm from the open internet? If not, what methods do you
>> suggest employing that would mitigate the risk?
>>
>>
>> *Kenyatta Clark*
>>
>> *Principal Engineer, Systems Development*
>>
>> MBO Partners
>>
>> *t:* 703.793.6314
>>
>> *w:*www.mbopartners.com <http://www.mbopartners.com/>
>>
>>
>> Notice: This email and any files transmitted with it are confidential.
>> They are intended solely for the use of the individual addressed. If
>> you have received this email in error please notify
>> postmaster(a)mbopartners.com <mailto:postmaster@mbopartners.com>and
>> permanently delete the e-mail and files.
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Felipe Braun Azambuja
> DBA
> Tecnologia da Informação e Comunicação
> (48) 3281 9577
> felipe.braun(a)intelbras.com.br
> Esta mensagem, incluindo seus anexos, contém informações protegidas por
> lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser
> retransmitida, arquivada, divulgada ou copiada sem autorização do
> remetente. O remetente utiliza o correio eletrônico no exercício do seu
> trabalho ou em razão dele, eximindo esta instituição de qualquer
> responsabilidade por utilização indevida. Caso tenha recebido esta
> mensagem por engano, por favor informe o remetente respondendo
> imediatamente a este e-mail, e em seguida apague-a do seu computador.
>
> The information contained in this e-mail and its attachments are protected
> by law, subjected to privilege and/or confidentiality and cannot be
> retransmitted, filed, disclosed or copied without authorization from the
> sender. The sender uses the electronic mail in the exercise of his/her
> work or by virtue thereof, and the institution accepts no liability from
> its undue use. If you have received this message by mistake, please notify
> us immediately by returning the e-mail and deleting this message from your
> system.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:06 a.m.
On 9/11/2015 11:03 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Friday, 11 September, 2015 5:00:24 PM
> Subject: Re: [keycloak-user] Only Allowing Access To Master Realm From Internal
Network
>
> Kenyatta, does that work for you? URL patterns are:
>
> /auth/realms/{realm}/* this is all protocol entry points. Through your
> proxy, control which realms can receive SSO requests by filtering out
> things by realm name aka {realm}
>
> /auth/admin/* All admin consoles and admin REST endpoints
Do we not also have the realm specific admin console entry points?
Yup:
/auth/admin/{realm}/console for per realm admin console UI
/auth/admin/realms/{realm} for per realm admin REST API
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3873
days inactive
3873
days old
4 comments
4 participants
participants (4)
-
Bill Burke -
Felipe Braun Azambuja -
Kenyatta Clark -
Stian Thorgersen