Figured it out, I needed to remove the final '/' on the proxy_pass line so
it reads:
proxy_pass
;:
If proxy_pass is specified without a URI, the request URI is passed to the
server in the same form as sent by a client when the original request is
processed, or the full normalized request URI is passed when processing the
changed URI:
location /some/path/ {
proxy_pass
;
}
On 3 August 2017 at 11:34, Tiemen Ruiten <t.ruiten(a)rdmedia.com> wrote:
I pinned this down: it's only an issue when running Keycloak
behind an
nginx proxy.
My current stripped down nginx config:
/etc/nginx/nginx.conf:
include /usr/share/nginx/modules/*.conf;
user nginx;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 30000;
events {
worker_connections 4096;
multi_accept on;
}
http {
log_format main '$http_host $remote_addr
[$time_local] '
'"$request" $status
$body_bytes_sent '
'"$http_referer"
"$http_user_agent" '
'$request_time
$upstream_response_time';
access_log /var/log/nginx/access.log main;
server_tokens off;
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
}
/etc/nginx/conf.d/keycloak.conf
server {
listen 443 ssl;
server_name REDACTED;
ssl_certificate /etc/pki/tls/certs/REDACTED.cer;
ssl_certificate_key /etc/pki/tls/private/REDACTED.key;
location / {
proxy_http_version 1.1;
proxy_pass
http://localhost:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
}
}
Is there a recommended nginx configuration for Keycloak?
On 14 July 2017 at 11:59, Stian Thorgersen <sthorger(a)redhat.com> wrote:
> I've tried the same steps and we have tests that do the same steps. So
> there's something more to it. You can create a JIRA sure, but we need to be
> able to reproduce it.
>
> Ideal is that you can reproduce it with a fresh install of Keycloak
> directly on your box with a fresh DB as well.
>
> On 14 July 2017 at 10:42, Tiemen Ruiten <t.ruiten(a)rdmedia.com> wrote:
>
>> Stian, does this help? Should I file a bug report?
>>
>> If anyone could give me some pointers for a workaround, that would also
>> be much appreciated.
>>
>>
>> On 12 July 2017 at 13:09, Tiemen Ruiten <t.ruiten(a)rdmedia.com> wrote:
>>
>>> OK, so I rolled a new Keycloak instance and it gives me the exact same
>>> error. Reproducing is trivial:
>>>
>>> - login
>>> - click Realm Settings
>>> - click Email tab
>>> - Fill in Host and From fields
>>> - Hit 'Test connection'
>>>
>>> I can share the Ansible playbook I used to setup the VM privately if
>>> you'd like.
>>>
>>> On 12 July 2017 at 11:43, Tiemen Ruiten <t.ruiten(a)rdmedia.com> wrote:
>>>
>>>> Hm, it's an almost vanilla Keycloak setup (however upgraded from
3.1.0
>>>> to 3.2.0), in fact the only changes in standalone.xml are related to the
>>>> keystore and database. I'll see if I can setup another instance and
>>>> reproduce there.
>>>>
>>>> On 11 July 2017 at 07:35, Stian Thorgersen <sthorger(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Tried to reproduce this, but can't and it's working just fine
here.
>>>>> Do you have steps to reproduce?
>>>>>
>>>>> On 10 July 2017 at 16:04, Tiemen Ruiten <t.ruiten(a)rdmedia.com>
wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I get the following error when hitting the 'Test
connection' button
>>>>>> on the
>>>>>> email tab in Realm settings:
>>>>>>
>>>>>> 2017-07-10 15:55:27,316 INFO [org.jboss.as] (Controller Boot
>>>>>> Thread)
>>>>>> WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)*
>>>>>> started in
>>>>>>
>>>>>> 21731ms - Started 449 of 824 services (561 services are lazy,
>>>>>> passive or
>>>>>> on-demand)
>>>>>> 2017-07-10 15:56:48,997 WARN [org.jboss.resteasy.resteasy_j
>>>>>> axrs.i18n]
>>>>>> (default task-11) RESTEASY002130: Failed to parse request.:
>>>>>> javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to
>>>>>> create URI:
>>>>>>
https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{
>>>>>> "port":null,"host":"mail.rdmedia.com
>>>>>>
","ssl":"","starttls":"","auth":"","from":"account@rdmedia.com"}
>>>>>> at
>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu
>>>>>> es(ResteasyUriBuilder.java:749)
>>>>>> at
>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(Resteas
>>>>>> yUriBuilder.java:721)
>>>>>> at
>>>>>> org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUr
>>>>>> iInfo.java:58)
>>>>>> at
org.jboss.resteasy.spi.ResteasyUriInfo.<init>(ResteasyUriInf
>>>>>> o.java:53)
>>>>>> at
>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletUtil.extrac
>>>>>> tUriInfo(ServletUtil.java:41)
>>>>>> at
>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>>>>>> spatcher.service(ServletContainerDispatcher.java:200)
>>>>>> at
>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>>>>> her.service(HttpServletDispatcher.java:56)
>>>>>> at
>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>>>>> her.service(HttpServletDispatcher.java:51)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>>>>>> rvletHandler.java:85)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>>>>> oFilter(FilterHandler.java:129)
>>>>>> at
>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.d
>>>>>> oFilter(KeycloakSessionServletFilter.java:90)
>>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>>>>>> r.java:60)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>>>>> oFilter(FilterHandler.java:131)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>>>>>> terHandler.java:84)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>>>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>>>>>> eRequest(ServletDispatchingHandler.java:36)
>>>>>> at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextAssoc
>>>>>> iationHandler.handleRequest(SecurityContextAssociationHandle
>>>>>> r.java:78)
>>>>>> at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociat
>>>>>>
ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>>>
allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>>> at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at
>>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>>> aintHandler.java:64)
>>>>>> at
>>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>>>
sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>>> at
>>>>>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>>> at
>>>>>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>>> Handler.java:43)
>>>>>> at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at
>>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>>> at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>>> stRequest(ServletInitialHandler.java:284)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>>> equest(ServletInitialHandler.java:263)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>>> 0(ServletInitialHandler.java:81)
>>>>>> at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>>> equest(ServletInitialHandler.java:174)
>>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>>> java:202)
>>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>>> ge.java:793)
>>>>>> at
>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>>> Executor.java:1142)
>>>>>> at
>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>>> lExecutor.java:617)
>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>> Caused by: java.net.URISyntaxException: Illegal character in path
at
>>>>>> index
>>>>>> 67:
https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConn
>>>>>> ection/{
>>>>>> "port":null,"host":"mail.rdmedia.com
>>>>>>
","ssl":"","starttls":"","auth":"","from":"account@rdmedia.com"}
>>>>>> at java.net.URI$Parser.fail(URI.java:2848)
>>>>>> at java.net.URI$Parser.checkChars(URI.java:3021)
>>>>>> at java.net.URI$Parser.parseHierarchical(URI.java:3105)
>>>>>> at java.net.URI$Parser.parse(URI.java:3053)
>>>>>> at java.net.URI.<init>(URI.java:588)
>>>>>> at
>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu
>>>>>> es(ResteasyUriBuilder.java:744)
>>>>>> ... 40 more
>>>>>>
>>>>>> The 67th character is the slash after testSMTPConnection. Is this
a
>>>>>> bug
>>>>>> and/or is there a workaround/fix?
>>>>>>
>>>>>> --
>>>>>> Tiemen Ruiten
>>>>>> Systems Engineer
>>>>>> R&D Media
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Tiemen Ruiten
>>>> Systems Engineer
>>>> R&D Media
>>>>
>>>
>>>
>>>
>>> --
>>> Tiemen Ruiten
>>> Systems Engineer
>>> R&D Media
>>>
>>
>>
>>
>> --
>> Tiemen Ruiten
>> Systems Engineer
>> R&D Media
>>
>
>
--
Tiemen Ruiten
Systems Engineer
R&D Media