[keycloak-user] Significant SSL issue: Support for reverse proxies
Josh
smysnk at gmail.com
Tue Jun 17 13:19:10 EDT 2014
Excellent, just tested it out and it is working as expected.
I also had to add 'RequestHeader set X-Forwarded-Proto "https"' to my
Apache virtualhost configuration.
Some documentation somewhere that this is required would be useful for the
next guy.
Thanks,
Josh
On Tue, Jun 17, 2014 at 4:58 AM, Stian Thorgersen <stian at redhat.com> wrote:
> This is quite likely an issue with either Apache or WildFly not being
> configured correctly.
>
> Have you enabled proxy-address-forwarding in WildFly/Undertow (see
> https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration
> for more info)?
>
> ----- Original Message -----
> > From: "Josh" <smysnk at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 16 June, 2014 4:42:27 PM
> > Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse
> proxies
> >
> > The first would be at the "Welcome to Keycloak" page, clicking on
> > Administration Console. The link itself is not redirecting to http, but
> as
> > part of the login page it looks like it forwards back to http. (eg.
> > https://auth.psidox.com/auth/ -> https://auth.psidox.com/auth/admin/ ->
> > http://auth.psidox.com/auth/admin/master/console ->
> >
> http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fauth.psidox.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=2ae3dfaa-fe7c-4973-8932-ffea553d8dfe&response_type=code
> > )
> >
> > I haven't really gotten too far beyond the login page.
> >
> > - Josh
> >
> >
> > On Mon, Jun 16, 2014 at 3:33 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > When does it forward the browser from https to http?
> > >
> > > As Bill pointed out, does auth-server-url in your keycloak.json point
> to
> > > your proxy with https?
> > >
> > > What adapter are you using?
> > >
> > > ----- Original Message -----
> > > > From: "Josh" <smysnk at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Friday, 13 June, 2014 8:41:32 AM
> > > > Subject: [keycloak-user] Significant SSL issue: Support for reverse
> > > proxies
> > > >
> > > > Hi guys,
> > > >
> > > > So looking to help solve this issue possibly or at least get it on
> the
> > > radar,
> > > > I've reported it here: https://issues.jboss.org/browse/KEYCLOAK-497
> > > >
> > > > To breifly recap the issue, when logging in via reverse proxy it
> keeps
> > > > forwarding the browser from https back to regular http.
> > > >
> > > > Eg. Apache virtualhost configured as:
> > > >
> > > > <VirtualHost *:443>
> > > > ServerName auth.domain.com
> > > > SSLEngine On
> > > >
> > > > <Proxy *>
> > > > Order deny,allow
> > > > Allow from all
> > > > </Proxy>
> > > >
> > > > ProxyVia Off
> > > > ProxyPreserveHost On
> > > > ProxyRequests Off
> > > >
> > > > ProxyPass / http://keycloak.core.docker:8080/
> > > > ProxyPassReverse / http://keycloak.core.docker:8080/
> > > >
> > > >
> > > > </VirtualHost>
> > > >
> > > > If I were to start looking into the code base, where would I start?
> > > Trying to
> > > > find for example during the login process how the forward url is
> formed?
> > > >
> > > > Thanks,
> > > >
> > > > Josh
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140617/4eca79ff/attachment.html
More information about the keycloak-user
mailing list