[keycloak-user] NGINX + Redirect URI is going to http rather than https

Marek Posolda mposolda at redhat.com
Thu Aug 4 06:40:04 EDT 2016 

Didn't when through all the details, just pointing if you read some 
parts from our docs?

https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/network.html 
(and subpages)
https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html

Marek

On 03/08/16 17:36, abhishek raghav wrote:
>
> I am trying to configure NGINX as a reverse for my keycloak instance 
> and customer-portal to do SSL termination.
>
> So  I am accessing the customer-portal over NGINX with https which is 
> going fine.
> The URL which i called looks like this:
>
> https://192.168.99.100/customer-portal/
>
>
> Next when I am trying to access any secured resourse by clicking on 
> lets say 'customer-listing', I am redirected to keyclock  with the URI 
> as below with a error message as invalid redirect URI.
>
> http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true
>
> Here if you see, the redirect URI is going as http in place of https. 
> which gives me invalid redirect-uri because the URI i have configured 
> in valid-redirect-URI section of  settings in the customer-portal 
> client settings  is below:
>
> https://192.168.99.100/customer-portal/*
>
> Am i missing something or i need to do anything else to support nginx 
> settings in my keycloak. I have made the proxy-forwarding in 
> standalone.xml also as 'true'.
>
> <http-listener xmlns:ut="urn:jboss:domain:undertow:3.0" 
> *proxy-address-forwarding="true"*
>    name="default"
>    socket-binding="http"
>    redirect-socket="https"/>
>
>
> port also I configured in the socket binding as 443.
>
> Also i am configuring the required header in my nginx.conf.
>
> Below is my nginx.conf looks like:
>
> user  nginx;
> worker_processes  1;
>
> error_log  /var/log/nginx/error.log warn;
> pid  /var/run/nginx.pid;
>
>
> events {
>     worker_connections  1024;
>
> }
> http {
>     include /etc/nginx/mime.types;
>     default_type  application/octet-stream;
>
>     log_format  main  '$remote_addr - $remote_user [$time_local] 
> "$request" '
> '$status $body_bytes_sent "$http_referer" '
> '"$http_user_agent" "$http_x_forwarded_for"';
>     server {
>     listen  443;
>     server_name "";
>     ssl_certificate  /etc/nginx/external/cert.pem;
>     ssl on;
>     ssl_certificate_key  /etc/nginx/external/key.pem;
>     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>     ssl_ciphers HIGH:!aNULL:!MD5;
>     location /customer-portal/ {
>       proxy_set_header        Host $http_host;
>       proxy_set_header        X-Real-IP $remote_addr;
>       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
>       proxy_set_header        X-Forwarded-Proto $scheme;
>       proxy_set_header        X-Forwarded-Host $host;
>       proxy_set_header        X-Forwarded-Server $http_host;
>       proxy_set_header        X-Forwarded-Port 443;
>       proxy_pass http://192.168.99.100:31050;
> }
>     location /auth/ {
> proxy_set_header        Host $host;
> proxy_set_header        X-Real-IP $remote_addr;
> proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header        X-Forwarded-Proto $scheme;
> proxy_set_header        X-Forwarded-Host $host;
> proxy_set_header        X-Forwarded-Server $http_host;
>       proxy_pass http://192.168.99.100:31048/auth/;
> proxy_set_header        X-Forwarded-Port 443;
>     }
>     }
>     access_log  /var/log/nginx/access.log  main;
>
>     sendfile  on;
>     #tcp_nopush on;
>
>     keepalive_timeout  65;
>
>     #gzip  on;
>
>     include /etc/nginx/conf.d/*.conf;
> }
>
>
> And my keycloak.json file looks like below:
>
> {
>   "realm": "nginx",
>   "realm-public-key": 
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB",
>   "auth-server-url": "https://192.168.99.100/auth/",
>   "ssl-required": "external",
>   "resource": "customer-portal",
>   "credentials": {
>     "secret": "20d8b6f8-25cc-481c-be66-133da68e9596"
>   },
> "use-resource-role-mappings": false
> }
>
> Note: I am runnning all the 3 in there own docker containers.
>
> Here my nginx url is *https://192.168.99.100*
> my customer-portal url is *http://192.168.99.100:31050*
> my keycloak server url is *http://192.168.99.100:31048*
> *
> *
> Customer-portal is running on tomcat 8 with keycloak tomcat adapter.
>
> customer-portal and keycloak, both are running behind nginx.
>
>
> Am i doing something wrong.
>
> Thanks.
> Abhishek
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/51f0dffa/attachment-0001.html

More information about the keycloak-user mailing list