3:35 p.m.
Hello list,
I'm currently working on embedding Keycloak's currently dedicated Proxy
Server into Keycloak itself.
For this I need to be able to dynamically configure Undertow's ProxyHandler
and register VirtualHosts at runtime.
For reference the discussion thread on keycloak-dev ML: [1]
Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is
configured via the standalone(-ha).xml.
I could already configure a reverse-proxy and additional hosts via
jboss-cli but I wonder whether there is an API
that I could use to get access to the undertow infrastructure from within a
JAX-RS endpoint.
I could probably also use the wildfly management client API or perhaps do
something via JMX.
Would be great if someone could give me a tip or an example for registering
/ configuring Undertow Handler or Virtual Hosts as described above.
Btw. I saw that Undertow ships with a
io.undertow.server.handlers.proxy.HostTable but I couldn't find
any usage of it in the Undertow codebase - did I miss something or is this
dead code?
FYI current code of Keycloak dedicated Proxy Server (uses embedded
undertow) can be found here: [0]
Cherrs,
Thomas
[0] https://github.com/keycloak/keycloak/tree/master/proxy
[1] http://lists.jboss.org/pipermail/keycloak-dev/2016-August/007742.html
10:50 p.m.
So does this need to proxy all requests, or just requests targeted at
the keycloak deployment? If it is the later then you could just use
ServletExtension to set up the ProxyHandler.
Stuart
On Tue, Aug 9, 2016 at 6:35 AM, Thomas Darimont
<thomas.darimont(a)googlemail.com> wrote:
Hello list,
I'm currently working on embedding Keycloak's currently dedicated Proxy
Server into Keycloak itself.
For this I need to be able to dynamically configure Undertow's ProxyHandler
and register VirtualHosts at runtime.
For reference the discussion thread on keycloak-dev ML: [1]
Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is
configured via the standalone(-ha).xml.
I could already configure a reverse-proxy and additional hosts via jboss-cli
but I wonder whether there is an API
that I could use to get access to the undertow infrastructure from within a
JAX-RS endpoint.
I could probably also use the wildfly management client API or perhaps do
something via JMX.
Would be great if someone could give me a tip or an example for registering
/ configuring Undertow Handler or Virtual Hosts as described above.
Btw. I saw that Undertow ships with a
io.undertow.server.handlers.proxy.HostTable but I couldn't find
any usage of it in the Undertow codebase - did I miss something or is this
dead code?
FYI current code of Keycloak dedicated Proxy Server (uses embedded undertow)
can be found here: [0]
Cherrs,
Thomas
[0] https://github.com/keycloak/keycloak/tree/master/proxy
[1] http://lists.jboss.org/pipermail/keycloak-dev/2016-August/007742.html
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
4:04 a.m.
Hello Stuart,
thanks for your help :)
My current understanding is that I need to proxy requests that are sent to
a virtual host created
at runtime by the Keycloak deployment and Keycloak would add some
additional headers with auth information
and takes care of authentication of necessary.
Since this can be configured at runtime I don't see how I could use the
ServletExtension (which is to my knowledge
applied at start-time) to dynamically register virtual hosts with Undertow.
The workflow is as follows:
So an admin would create a new "proxied" client configuration in the
Keycloak admin console where
he would configure the name for a new virtual host and a target url.
E.g. if the keycloak servername is "sso.acme.com" a user would create
proxied client with the following configuration:
* clientid: app1
* virtual host: app1.acme.com
* target url: https://myapp1.com/app
* Header Mapping: key value pairs with header name to (dynamic) expression
mapping to inject in the proxied request
* Certificate / public / private key
The certificate is used to provide TLS for app1.acme.com - one could also
use a wildcard cert here or generate
the cert on the server on client setup.
With that in place requests sent to: https://app1.acme.com/
should be proxied to: https://myapp1.com/app/
The DNS name app1.acme.com would of course resolve to the IP of sso.acme.com
.
A purely path-based solution would be to define a proxy endpoint like
https://sso.acme.com/proxy/ which then
proxies all requests sent to https://sso.acme.com/proxy/app1 to
https://myapp1.com/app.
The servlet based approach could be done easily done with Servlets or
JAX-RS endpoints, but I still wonder how the dynamic vhost registration
could be done.
Cheers,
Thomas
2016-08-09 5:50 GMT+02:00 Stuart Douglas <sdouglas(a)redhat.com>:
So does this need to proxy all requests, or just requests targeted
at
the keycloak deployment? If it is the later then you could just use
ServletExtension to set up the ProxyHandler.
Stuart
On Tue, Aug 9, 2016 at 6:35 AM, Thomas Darimont
<thomas.darimont(a)googlemail.com> wrote:
> Hello list,
>
> I'm currently working on embedding Keycloak's currently dedicated Proxy
> Server into Keycloak itself.
> For this I need to be able to dynamically configure Undertow's
ProxyHandler
> and register VirtualHosts at runtime.
> For reference the discussion thread on keycloak-dev ML: [1]
>
> Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is
> configured via the standalone(-ha).xml.
>
> I could already configure a reverse-proxy and additional hosts via
jboss-cli
> but I wonder whether there is an API
> that I could use to get access to the undertow infrastructure from
within a
> JAX-RS endpoint.
> I could probably also use the wildfly management client API or perhaps do
> something via JMX.
>
> Would be great if someone could give me a tip or an example for
registering
> / configuring Undertow Handler or Virtual Hosts as described above.
>
> Btw. I saw that Undertow ships with a
> io.undertow.server.handlers.proxy.HostTable but I couldn't find
> any usage of it in the Undertow codebase - did I miss something or is
this
> dead code?
>
> FYI current code of Keycloak dedicated Proxy Server (uses embedded
undertow)
> can be found here: [0]
>
> Cherrs,
> Thomas
> [0] https://github.com/keycloak/keycloak/tree/master/proxy
> [1] http://lists.jboss.org/pipermail/keycloak-dev/2016-
August/007742.html
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
10:18 p.m.
I think you are going to need a management client based solution here.
At the moment the subsystem is not really designed to be extended in
this way.
Another possibility would be to install your own virtual host handler
in the default host (i.e. the host that gets selected if none match).
You could then control this programmatically. I don't think this would
be a great solution though
Stuart
On Tue, Aug 9, 2016 at 7:04 PM, Thomas Darimont
<thomas.darimont(a)googlemail.com> wrote:
Hello Stuart,
thanks for your help :)
My current understanding is that I need to proxy requests that are sent to a
virtual host created
at runtime by the Keycloak deployment and Keycloak would add some additional
headers with auth information
and takes care of authentication of necessary.
Since this can be configured at runtime I don't see how I could use the
ServletExtension (which is to my knowledge
applied at start-time) to dynamically register virtual hosts with Undertow.
The workflow is as follows:
So an admin would create a new "proxied" client configuration in the
Keycloak admin console where
he would configure the name for a new virtual host and a target url.
E.g. if the keycloak servername is "sso.acme.com" a user would create
proxied client with the following configuration:
* clientid: app1
* virtual host: app1.acme.com
* target url: https://myapp1.com/app
* Header Mapping: key value pairs with header name to (dynamic) expression
mapping to inject in the proxied request
* Certificate / public / private key
The certificate is used to provide TLS for app1.acme.com - one could also
use a wildcard cert here or generate
the cert on the server on client setup.
With that in place requests sent to: https://app1.acme.com/
should be proxied to: https://myapp1.com/app/
The DNS name app1.acme.com would of course resolve to the IP of
sso.acme.com.
A purely path-based solution would be to define a proxy endpoint like
https://sso.acme.com/proxy/ which then
proxies all requests sent to https://sso.acme.com/proxy/app1 to
https://myapp1.com/app.
The servlet based approach could be done easily done with Servlets or JAX-RS
endpoints, but I still wonder how the dynamic vhost registration could be
done.
Cheers,
Thomas
2016-08-09 5:50 GMT+02:00 Stuart Douglas <sdouglas(a)redhat.com>:
>
> So does this need to proxy all requests, or just requests targeted at
> the keycloak deployment? If it is the later then you could just use
> ServletExtension to set up the ProxyHandler.
>
> Stuart
>
> On Tue, Aug 9, 2016 at 6:35 AM, Thomas Darimont
> <thomas.darimont(a)googlemail.com> wrote:
> > Hello list,
> >
> > I'm currently working on embedding Keycloak's currently dedicated Proxy
> > Server into Keycloak itself.
> > For this I need to be able to dynamically configure Undertow's
> > ProxyHandler
> > and register VirtualHosts at runtime.
> > For reference the discussion thread on keycloak-dev ML: [1]
> >
> > Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is
> > configured via the standalone(-ha).xml.
> >
> > I could already configure a reverse-proxy and additional hosts via
> > jboss-cli
> > but I wonder whether there is an API
> > that I could use to get access to the undertow infrastructure from
> > within a
> > JAX-RS endpoint.
> > I could probably also use the wildfly management client API or perhaps
> > do
> > something via JMX.
> >
> > Would be great if someone could give me a tip or an example for
> > registering
> > / configuring Undertow Handler or Virtual Hosts as described above.
> >
> > Btw. I saw that Undertow ships with a
> > io.undertow.server.handlers.proxy.HostTable but I couldn't find
> > any usage of it in the Undertow codebase - did I miss something or is
> > this
> > dead code?
> >
> > FYI current code of Keycloak dedicated Proxy Server (uses embedded
> > undertow)
> > can be found here: [0]
> >
> > Cherrs,
> > Thomas
> > [0] https://github.com/keycloak/keycloak/tree/master/proxy
> > [1]
> > http://lists.jboss.org/pipermail/keycloak-dev/2016-August/007742.html
> >
> >
> > _______________________________________________
> > undertow-dev mailing list
> > undertow-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/undertow-dev
4:38 a.m.
On Tue, Aug 16, 2016 at 5:18 AM, Stuart Douglas <sdouglas(a)redhat.com> wrote:
I think you are going to need a management client based solution
here.
At the moment the subsystem is not really designed to be extended in
this way.
Well, given that keycloak already has a subsystem,
it could be done by deep integration with undertow subsystem directly.
but in general it can be done by calling management operations
in whatever way it is easiest for you.
--
tomaz
3021
days inactive
3029
days old
4 comments
3 participants
participants (3)
-
Stuart Douglas -
Thomas Darimont -
Tomaž Cerar