[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Stian Thorgersen
sthorger at redhat.com
Tue Oct 25 03:48:54 EDT 2016
Try:
https://<hostname>/auth/realms/master/.well-known/openid-configuration
And check the URLs in the page. They should contain https and correct
hostname (for your reverse proxy, not Keycloak). If not there's an issue
with your reverse proxy or it's not configured correctly in Keycloak
server. Check the installation guide for more details.
On 24 October 2016 at 21:38, Vincent Sourin <sourin-v at bridgestone-bae.com>
wrote:
> Yes I think X-Forwarded-* Headers and preservation of original host are
> set.
>
>
>
> Actually, I’m not really a « network » guy. So for testing purpose, I use
> the bundle (httpd + ssl ) provided on mod_cluster website.
>
> I « tweak » the configuration to try to achieve SSL Termination and
> Websocket like this :
>
>
>
> ------------------------ Apache Configuration ----------------------------
>
> ServerRoot "/opt/jboss/httpd/httpd"
>
>
>
> LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so
>
>
> […]
>
> LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/
> modules/mod_rewrite.so
>
>
>
> <IfModule unixd_module>
>
> User daemon
>
> Group daemon
>
> </IfModule>
>
>
>
> <Directory />
>
> AllowOverride none
>
> Require all denied
>
> </Directory>
>
>
>
> DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
>
> <Directory "/opt/jboss/httpd/htdocs/htdocs">
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> Require all granted
>
> </Directory>
>
>
>
> <IfModule dir_module>
>
> DirectoryIndex index.html
>
> </IfModule>
>
>
>
> <Files ".ht*">
>
> Require all denied
>
> </Files>
>
>
>
> ErrorLog "logs/error_log"
>
> LogLevel warn
>
>
>
> <IfModule log_config_module>
>
> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
>
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
>
> <IfModule logio_module>
>
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\" %I %O" combinedio
>
> </IfModule>
>
> SetEnvIf Request_URI "^/check\.txt$" dontlog
>
> CustomLog "logs/access.log" combined env=!dontlog
>
> </IfModule>
>
>
>
> <IfModule alias_module>
>
> ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/"
>
> </IfModule>
>
>
>
> <IfModule cgid_module>
>
> </IfModule>
>
>
>
> <Directory "/opt/jboss/httpd/htdocs/cgi-bin">
>
> AllowOverride None
>
> Options None
>
> Require all granted
>
> </Directory>
>
>
>
> <IfModule mime_module>
>
> TypesConfig conf/mime.types
>
> AddType application/x-compress .Z
>
> AddType application/x-gzip .gz .tgz
>
> </IfModule>
>
>
>
> <IfModule proxy_html_module>
>
> Include conf/extra/proxy-html.conf
>
> </IfModule>
>
>
>
> <IfModule ssl_module>
>
> SSLRandomSeed startup builtin
>
> SSLRandomSeed connect builtin
>
> </IfModule>
>
>
>
> MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
>
> SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/
> logs/ssl_gcache_data(512000)"
>
> EnableWsTunnel
>
>
>
> Listen XXXXXXXX:443
>
> <VirtualHost *:443>
>
> ServerName XXXXXXXXXXXXXXX
>
>
>
> CreateBalancers 0
>
>
>
> <Location /mcm>
>
> AllowDisplay On
>
> SetHandler mod_cluster-manager
>
> Require ip 10.10
>
> </Location>
>
>
>
> <Location /check.txt>
>
> ProxyPass !
>
> </Location>
>
>
>
> SSLEngine on
>
> SSLProtocol all -SSLv2
>
> SSLHonorCipherOrder on
>
> SSLCertificateFile /opt/mod_cluster-certs/CERT.pem
>
> SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem
>
> SSLCACertificateFile /opt/mod_cluster-certs/CA.pem
>
> SSLVerifyClient none
>
>
>
> ProxyPreserveHost On
>
> RequestHeader Set X-Forwarded-Proto "https"
>
>
>
> </VirtualHost>
>
>
>
> <IfModule manager_module>
>
> Listen XXXXXXXXX:6666
>
> <VirtualHost *:6666>
>
> ServerName XXXXXXXXXXXXXXXXX
>
>
>
> <Location />
>
> Require ip 10.10
>
> </Location>
>
>
>
> AllowDisplay On
>
> KeepAliveTimeout 300
>
> MaxKeepAliveRequests 0
>
> ServerAdvertise on
>
> AdvertiseFrequency 5
>
> AdvertiseGroup 224.0.1.205:24364
>
> EnableMCPMReceive
>
> ManagerBalancerName mycluster
>
>
>
> ProxyPreserveHost On
>
> RequestHeader Set X-Forwarded-Proto "https"
>
>
>
> </VirtualHost>
>
> </IfModule>
>
> ------------------------ Apache Configuration ----------------------------
>
>
>
>
>
> *De :* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Envoyé :* lundi 24 octobre 2016 08:08
> *À :* Vincent Sourin <sourin-v at bridgestone-bae.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
>
>
>
> Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also
> preserving the preserving the original Host header?
>
>
>
> On 22 October 2016 at 13:19, Vincent Sourin <sourin-v at bridgestone-bae.com>
> wrote:
>
> Hello,
>
> I've got a strange behavior with Keycloak instance (version 2.2.1 Final)
> behind an Apache Reverse Proxy (with Mod_cluster).
>
> First of all, here is my test environment : https://postimg.org/image/
> z7xrb08ev/
>
> I think it's worth mention that :
>
> * Wildfly & keycloak are installed on the same servers but each in
> separate instances (not using overlay deployment)
>
> * mod_cluster is configured in http mode (not ajp) with
> mod_proxy_wstunnel activated because I use Websocket with wildfly
>
> So, in this configuration, applications deployed on wildfly instances work
> well but I got some problem with Keycloak.
> Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as
> soon as I click on the link < Aministration Console > (resolved normally to
> https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to
> plain http connection and so the request failed.
>
> If I browse directly to https://XXXXXXX/auth/admin/ my browser complains
> about < some insecured items on the page > and I can't reach the console
> neither.
>
> Here a a snippet of my keycloak configuration :
>
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
> <server name="default-server">
> <http-listener name="default" proxy-address-forwarding="true"
> socket-binding="http" redirect-socket="proxy-https"/>
> <https-listener name="https"
> enabled-protocols="TLSv1.2" security-realm="UndertowRealm"
> socket-binding="https"/>
> [...]
> </subsystem>
> [...]
> <subsystem xmlns="urn:jboss:domain:modcluster:2.0">
> <mod-cluster-config advertise-socket="modcluster"
> connector="default">
> <dynamic-load-provider>
> <load-metric type="cpu"/>
> </dynamic-load-provider>
> </mod-cluster-config>
> </subsystem>
> [...]
> <socket-binding-groups>
> <socket-binding-group name="ha-sockets" default-interface="public">
> [...]
> <socket-binding name="proxy-https" port="443"/>
> [...]
> </socket-binding-group>
> </socket-binding-groups>
>
> Can someone tell me what I'm doing wrong or give me the right direction to
> further investigate this behavior ?
>
> Thanks for your help.
>
> Vincent.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list