[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Vincent Sourin
sourin-v at bridgestone-bae.com
Mon Oct 24 15:38:20 EDT 2016
Yes I think X-Forwarded-* Headers and preservation of original host are set.
Actually, I’m not really a « network » guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website.
I « tweak » the configuration to try to achieve SSL Termination and Websocket like this :
------------------------ Apache Configuration ----------------------------
ServerRoot "/opt/jboss/httpd/httpd"
LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so
[…]
LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
<Directory "/opt/jboss/httpd/htdocs/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
SetEnvIf Request_URI "^/check\.txt$" dontlog
CustomLog "logs/access.log" combined env=!dontlog
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/opt/jboss/httpd/htdocs/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)"
EnableWsTunnel
Listen XXXXXXXX:443
<VirtualHost *:443>
ServerName XXXXXXXXXXXXXXX
CreateBalancers 0
<Location /mcm>
AllowDisplay On
SetHandler mod_cluster-manager
Require ip 10.10
</Location>
<Location /check.txt>
ProxyPass !
</Location>
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCertificateFile /opt/mod_cluster-certs/CERT.pem
SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem
SSLCACertificateFile /opt/mod_cluster-certs/CA.pem
SSLVerifyClient none
ProxyPreserveHost On
RequestHeader Set X-Forwarded-Proto "https"
</VirtualHost>
<IfModule manager_module>
Listen XXXXXXXXX:6666
<VirtualHost *:6666>
ServerName XXXXXXXXXXXXXXXXX
<Location />
Require ip 10.10
</Location>
AllowDisplay On
KeepAliveTimeout 300
MaxKeepAliveRequests 0
ServerAdvertise on
AdvertiseFrequency 5
AdvertiseGroup 224.0.1.205:24364
EnableMCPMReceive
ManagerBalancerName mycluster
ProxyPreserveHost On
RequestHeader Set X-Forwarded-Proto "https"
</VirtualHost>
</IfModule>
------------------------ Apache Configuration ----------------------------
De : Stian Thorgersen [mailto:sthorger at redhat.com]
Envoyé : lundi 24 octobre 2016 08:08
À : Vincent Sourin <sourin-v at bridgestone-bae.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header?
On 22 October 2016 at 13:19, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Hello,
I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster).
First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/
I think it's worth mention that :
* Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment)
* mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly
So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak.
Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed.
If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither.
Here a a snippet of my keycloak configuration :
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<server name="default-server">
<http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/>
<https-listener name="https" enabled-protocols="TLSv1.2" security-realm="UndertowRealm" socket-binding="https"/>
[...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster" connector="default">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
<socket-binding-group name="ha-sockets" default-interface="public">
[...]
<socket-binding name="proxy-https" port="443"/>
[...]
</socket-binding-group>
</socket-binding-groups>
Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ?
Thanks for your help.
Vincent.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list