[keycloak-user] NGINX + Redirect URI is going to http rather than https
abhishek raghav
abhi.raghav007 at gmail.com
Wed Aug 3 11:36:42 EDT 2016
I am trying to configure NGINX as a reverse for my keycloak instance and
customer-portal to do SSL termination.
So I am accessing the customer-portal over NGINX with https which is going
fine.
The URL which i called looks like this:
https://192.168.99.100/customer-portal/
Next when I am trying to access any secured resourse by clicking on lets
say 'customer-listing', I am redirected to keyclock with the URI as below
with a error message as invalid redirect URI.
http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true
Here if you see, the redirect URI is going as http in place of https. which
gives me invalid redirect-uri because the URI i have configured in
valid-redirect-URI section of settings in the customer-portal client
settings is below:
https://192.168.99.100/customer-portal/*
Am i missing something or i need to do anything else to support nginx
settings in my keycloak. I have made the proxy-forwarding in standalone.xml
also as 'true'.
<http-listener xmlns:ut="urn:jboss:domain:undertow:3.0"
*proxy-address-forwarding="true"*
name="default"
socket-binding="http"
redirect-socket="https"/>
port also I configured in the socket binding as 443.
Also i am configuring the required header in my nginx.conf.
Below is my nginx.conf looks like:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"
'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 443;
server_name "";
ssl_certificate /etc/nginx/external/cert.pem;
ssl on;
ssl_certificate_key /etc/nginx/external/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location /customer-portal/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header X-Forwarded-Port 443;
proxy_pass http://192.168.99.100:31050;
}
location /auth/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_pass http://192.168.99.100:31048/auth/;
proxy_set_header X-Forwarded-Port 443;
}
}
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
And my keycloak.json file looks like below:
{
"realm": "nginx",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB",
"auth-server-url": "https://192.168.99.100/auth/",
"ssl-required": "external",
"resource": "customer-portal",
"credentials": {
"secret": "20d8b6f8-25cc-481c-be66-133da68e9596"
},
"use-resource-role-mappings": false
}
Note: I am runnning all the 3 in there own docker containers.
Here my nginx url is *https://192.168.99.100 <https://192.168.99.100>*
my customer-portal url is *http://192.168.99.100:31050
<http://192.168.99.100:31050>*
my keycloak server url is *http://192.168.99.100:31048
<http://192.168.99.100:31048>*
Customer-portal is running on tomcat 8 with keycloak tomcat adapter.
customer-portal and keycloak, both are running behind nginx.
Am i doing something wrong.
Thanks.
Abhishek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/1277d083/attachment.html
More information about the keycloak-user
mailing list