5:50 p.m.
Hello,
I am trying to make KeyCloak work behind an IIS proxy.
Here is what I want to do:
KeyCloak is installed and available remotely on:
https://www.server.com/auth/
On IIS I created an "Application Request Routing Cache" that I already use for
another application.
I created an "URL Rewrite" with inbound rule that takes pattern auth/(.*) and
rewrites it to rewrite url: http://127.0.0.1:8080/auth/{R:1}
Now my problem is that this rewrite url is used by the keycloak server when a user tries
to log in.
If my application redirects the user to log in, the url is
https://www.server.com/auth/realms/myrealm/protocol/openid-connect/auth?r....
but behind the Login button, the action is
http://127.0.0.1:8080/auth/realms/myrealm/login-actions/aut...
which of course doesn't work because it needs to be https://www.server.com instead of
http://127.0.0.1:8080
I have tried about everything in
http://www.keycloak.org/docs/latest/server_installation/index.html#identi...
but without success.
If I use proxy-address-forwarding="true" I get
We're sorry ...
HTTPS required
Can somebody please clarify how I can configure keycloak to use https://www.server.com
instead of http://127.0.0.1:8080 ?
Best regards,
Kevin
7:08 p.m.
Hi Kevin,
you should let Keycloak know that you are using https. With Apache
httpd you need to add this parameter:
RequestHeader set X-Forwarded-Proto "https"
For sure IIS has something like this.
Regards,
Domenico Briganti
Il giorno ven, 22/12/2017 alle 16.50 +0000, Kevin Cuijpers ha scritto:
Hello,
I am trying to make KeyCloak work behind an IIS proxy.
Here is what I want to do:
KeyCloak is installed and available remotely on:
https://www.server.com/auth/
On IIS I created an "Application Request Routing Cache" that I
already use for another application.
I created an "URL Rewrite" with inbound rule that takes pattern
auth/(.*) and rewrites it to rewrite url: http://127.0.0.1:8080/auth/
{R:1}
Now my problem is that this rewrite url is used by the keycloak
server when a user tries to log in.
If my application redirects the user to log in, the url is https://ww
w.server.com/auth/realms/myrealm/protocol/openid-
connect/auth?response_type=code&client_id=...
but behind the Login button, the action is http://127.0.0.1:8080/auth
/realms/myrealm/login-actions/aut...
which of course doesn't work because it needs to be https://www.serve
r.com instead of http://127.0.0.1:8080
I have tried about everything in http://www.keycloak.org/docs/latest/
server_installation/index.html#identifying-client-ip-addresses but
without success.
If I use proxy-address-forwarding="true" I get
We're sorry ...
HTTPS required
Can somebody please clarify how I can configure keycloak to use https
://www.server.com instead of http://127.0.0.1:8080 ?
Best regards,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:49 a.m.
Not only proto, but looks like X-Forwarded-Host is also missing
пт, 22 дек. 2017 г. в 21:08, Domenico Briganti <dometec(a)gmail.com>:
Hi Kevin,
you should let Keycloak know that you are using https. With Apache
httpd you need to add this parameter:
RequestHeader set X-Forwarded-Proto "https"
For sure IIS has something like this.
Regards,
Domenico Briganti
Il giorno ven, 22/12/2017 alle 16.50 +0000, Kevin Cuijpers ha scritto:
> Hello,
>
> I am trying to make KeyCloak work behind an IIS proxy.
> Here is what I want to do:
> KeyCloak is installed and available remotely on:
> https://www.server.com/auth/
> On IIS I created an "Application Request Routing Cache" that I
> already use for another application.
> I created an "URL Rewrite" with inbound rule that takes pattern
> auth/(.*) and rewrites it to rewrite url: http://127.0.0.1:8080/auth/
> {R:1}
>
> Now my problem is that this rewrite url is used by the keycloak
> server when a user tries to log in.
> If my application redirects the user to log in, the url is https://ww
> w.server.com/auth/realms/myrealm/protocol/openid-
> connect/auth?response_type=code&client_id=...
> but behind the Login button, the action is http://127.0.0.1:8080/auth
> /realms/myrealm/login-actions/aut...
> which of course doesn't work because it needs to be https://www.serve
> r.com instead of http://127.0.0.1:8080
>
> I have tried about everything in http://www.keycloak.org/docs/latest/
> server_installation/index.html#identifying-client-ip-addresses but
> without success.
> If I use proxy-address-forwarding="true" I get
> We're sorry ...
>
> HTTPS required
>
> Can somebody please clarify how I can configure keycloak to use https
> ://www.server.com instead of http://127.0.0.1:8080 ?
>
> Best regards,
>
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:05 p.m.
Hello,
Thank you for the information. I added 2 server variables in IIS Rewrite rule:
Name: HTTP_X_FORWARDED_PROTO
Value: https
Name: HTTP_X_FORWARDED_HOST
Value: www.server.com<http://www.server.com>
Now I do get the links to
https://www.server.com/auth/realms/myrealm/login-actions/aut...
And I am able to log in so I can continue.
Best regards,
Kevin
From: Виталий Ищенко [mailto:betalb@gmail.com]
Sent: Saturday, December 23, 2017 1:50 AM
To: Domenico Briganti <dometec(a)gmail.com>
Cc: Kevin Cuijpers <Kevin.Cuijpers(a)mips.be>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak behind an IIS proxy
Not only proto, but looks like X-Forwarded-Host is also missing
пт, 22 дек. 2017 г. в 21:08, Domenico Briganti
<dometec@gmail.com<mailto:dometec@gmail.com>>:
Hi Kevin,
you should let Keycloak know that you are using https. With Apache
httpd you need to add this parameter:
RequestHeader set X-Forwarded-Proto "https"
For sure IIS has something like this.
Regards,
Domenico Briganti
Il giorno ven, 22/12/2017 alle 16.50 +0000, Kevin Cuijpers ha scritto:
Hello,
I am trying to make KeyCloak work behind an IIS proxy.
Here is what I want to do:
KeyCloak is installed and available remotely on:
https://www.server.com/auth/
On IIS I created an "Application Request Routing Cache" that I
already use for another application.
I created an "URL Rewrite" with inbound rule that takes pattern
auth/(.*) and rewrites it to rewrite url: http://127.0.0.1:8080/auth/
{R:1}
Now my problem is that this rewrite url is used by the keycloak
server when a user tries to log in.
If my application redirects the user to log in, the url is https://ww
w.server.com/auth/realms/myrealm/protocol/openid-<http://w.server.com/...
connect/auth?response_type=code&client_id=...
but behind the Login button, the action is http://127.0.0.1:8080/auth
/realms/myrealm/login-actions/aut...
which of course doesn't work because it needs to be https://www.serve
r.com<http://r.com> instead of http://127.0.0.1:8080
I have tried about everything in http://www.keycloak.org/docs/latest/
server_installation/index.html#identifying-client-ip-addresses but
without success.
If I use proxy-address-forwarding="true" I get
We're sorry ...
HTTPS required
Can somebody please clarify how I can configure keycloak to use https
://www.server.com<http://www.server.com> instead of http://127.0.0.1:8080 ?
Best regards,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
2321
days inactive
2325
days old
3 comments
3 participants
participants (3)
-
Domenico Briganti -
Kevin Cuijpers -
Виталий Ищенко