4:24 a.m.
Hi All,
I'm having a problem with running keycloak behind an nginx reverse proxy.
I've had this running for some time now without problems, but have now
stood up a new system in a networking environment that I don't have much
control over, and for some reason things are not working.
My nginx proxy forwarding looks like this:
location /auth/ {
proxy_pass http://keycloak:8080/auth/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_connect_timeout 75s;
}
Similar for the app that is using keycloak for SSO (this is a tomcat
based servlet app).
In my keycloak's standalone.xml the http-listener element has had
proxy-address-forwarding="true" added.
This has all been fine, but in this new environment its not working.
I get the keycloak login prompt, and can login OK. But when I look in
the session in Keycloack the From IP address is 10.0.0.10 not the actual
IP address of the machine where the browser resides.
And the app using Keycloak denies access with this exception in the logs:
05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4]
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to
turn code into token
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532)
at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:48)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Can anyone shed any light on what might be wrong here?
Note this is using quite an old version of keycloak (2.1.0) though I
don't think this is the problem.
Thanks
Tim
4:38 a.m.
Hi Tim,
did you specify proxy-address-forwarding="true" for the <http-listener>
element in the undertow subsystem of you standalone(-ha).xml?
https://keycloak.gitbooks.io/documentation/server_installation/topics/clu...
Cheers,
Thomas
2017-07-05 11:24 GMT+02:00 Tim Dudgeon <tdudgeon.ml(a)gmail.com>:
Hi All,
I'm having a problem with running keycloak behind an nginx reverse proxy.
I've had this running for some time now without problems, but have now
stood up a new system in a networking environment that I don't have much
control over, and for some reason things are not working.
My nginx proxy forwarding looks like this:
location /auth/ {
proxy_pass http://keycloak:8080/auth/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_connect_timeout 75s;
}
Similar for the app that is using keycloak for SSO (this is a tomcat
based servlet app).
In my keycloak's standalone.xml the http-listener element has had
proxy-address-forwarding="true" added.
This has all been fine, but in this new environment its not working.
I get the keycloak login prompt, and can login OK. But when I look in
the session in Keycloack the From IP address is 10.0.0.10 not the actual
IP address of the machine where the browser resides.
And the app using Keycloak denies access with this exception in the logs:
05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4]
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to
turn code into token
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:
350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(
AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(
SSLSocketFactory.java:532)
at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(
SniSSLSocketFactory.java:109)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(
SSLSocketFactory.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(
DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(
AbstractPoolEntry.java:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(
AbstractPooledConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(
DefaultRequestDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(
DefaultRequestDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(
AbstractHttpClient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(
CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(
CloseableHttpClient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(
CloseableHttpClient.java:55)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(
ServerRequest.java:107)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
OAuthRequestAuthenticator.java:327)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(
OAuthRequestAuthenticator.java:273)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(
RequestAuthenticator.java:130)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV
alve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(
KeycloakAuthenticatorValve.java:48)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(
AuthenticatorBase.java:471)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(
AbstractKeycloakAuthenticatorValve.java:187)
at
org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:141)
at
org.apache.catalina.valves.ErrorReportValve.invoke(
ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(
AbstractAccessLogValve.java:616)
at
org.apache.catalina.authenticator.SingleSignOn.
invoke(SingleSignOn.java:240)
at
org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:88)
at
org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:521)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(
AbstractHttp11Processor.java:1096)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
process(AbstractProtocol.java:674)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
doRun(NioEndpoint.java:1500)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
run(NioEndpoint.java:1456)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Can anyone shed any light on what might be wrong here?
Note this is using quite an old version of keycloak (2.1.0) though I
don't think this is the problem.
Thanks
Tim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:39 a.m.
... never mind - I missed the part in your email...
2017-07-05 11:38 GMT+02:00 Thomas Darimont <thomas.darimont(a)googlemail.com>:
Hi Tim,
did you specify proxy-address-forwarding="true" for the <http-listener>
element in the undertow subsystem of you standalone(-ha).xml?
https://keycloak.gitbooks.io/documentation/server_installation/topics/
clustering/load-balancer.html
Cheers,
Thomas
2017-07-05 11:24 GMT+02:00 Tim Dudgeon <tdudgeon.ml(a)gmail.com>:
> Hi All,
>
> I'm having a problem with running keycloak behind an nginx reverse proxy.
>
> I've had this running for some time now without problems, but have now
> stood up a new system in a networking environment that I don't have much
> control over, and for some reason things are not working.
>
> My nginx proxy forwarding looks like this:
>
> location /auth/ {
> proxy_pass http://keycloak:8080/auth/;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_redirect off;
> proxy_connect_timeout 75s;
> }
>
> Similar for the app that is using keycloak for SSO (this is a tomcat
> based servlet app).
>
> In my keycloak's standalone.xml the http-listener element has had
> proxy-address-forwarding="true" added.
> This has all been fine, but in this new environment its not working.
>
> I get the keycloak login prompt, and can login OK. But when I look in
> the session in Keycloack the From IP address is 10.0.0.10 not the actual
> IP address of the machine where the browser resides.
>
> And the app using Keycloak denies access with this exception in the logs:
>
> 05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4]
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to
> turn code into token
> java.net.ConnectException: Connection refused
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
> etImpl.java:350)
> at
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
> ainSocketImpl.java:206)
> at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
> Impl.java:188)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> at java.net.Socket.connect(Socket.java:589)
> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLS
> ocketFactory.java:532)
> at
> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniS
> SLSocketFactory.java:109)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLS
> ocketFactory.java:409)
> at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.
> openConnection(DefaultClientConnectionOperator.java:177)
> at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
> lEntry.java:144)
> at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
> tractPooledConnAdapter.java:131)
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnec
> t(DefaultRequestDirector.java:611)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(D
> efaultRequestDirector.java:446)
> at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
> tractHttpClient.java:882)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
> eableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
> eableHttpClient.java:107)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
> eableHttpClient.java:55)
> at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(
> ServerRequest.java:107)
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
> OAuthRequestAuthenticator.java:327)
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate
> (OAuthRequestAuthenticator.java:273)
> at
> org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
> estAuthenticator.java:130)
> at
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa
> lve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
> at
> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.auth
> enticate(KeycloakAuthenticatorValve.java:48)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(A
> uthenticatorBase.java:471)
> at
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa
> lve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHo
> stValve.java:141)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
> rtValve.java:79)
> at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
> tractAccessLogValve.java:616)
> at
> org.apache.catalina.authenticator.SingleSignOn.invoke(
> SingleSignOn.java:240)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(Standard
> EngineValve.java:88)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
> apter.java:521)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(Abs
> tractHttp11Processor.java:1096)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler
> .process(AbstractProtocol.java:674)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
> (NioEndpoint.java:1500)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(
> NioEndpoint.java:1456)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
> run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
>
> Can anyone shed any light on what might be wrong here?
> Note this is using quite an old version of keycloak (2.1.0) though I
> don't think this is the problem.
>
> Thanks
>
> Tim
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3205
days inactive
3205
days old
2 comments
2 participants
participants (2)
-
Thomas Darimont -
Tim Dudgeon