[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Vincent Sourin sourin-v at bridgestone-bae.com
Tue Oct 25 04:05:41 EDT 2016 

All the URLs at the given address contain https and  the reverse proxy hostname.

Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09
GSM : +32 492 97 44 99

De : Stian Thorgersen [mailto:sthorger at redhat.com]
Envoyé : mardi 25 octobre 2016 09:49
À : Vincent Sourin <sourin-v at bridgestone-bae.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Try:

https://<hostname>/auth/realms/master/.well-known/openid-configuration<https://%3chostname%3e/auth/realms/master/.well-known/openid-configuration>

And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details.

On 24 October 2016 at 21:38, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Yes I think X-Forwarded-* Headers and preservation of original host are set.

Actually, I’m not really a « network » guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website.
I « tweak » the configuration to try to achieve SSL Termination and Websocket like this :

------------------------ Apache Configuration ----------------------------
ServerRoot "/opt/jboss/httpd/httpd"

LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so
[…]
LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so

<IfModule unixd_module>
User daemon
Group daemon
</IfModule>

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
<Directory "/opt/jboss/httpd/htdocs/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"
LogLevel  warn

<IfModule log_config_module>
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    SetEnvIf Request_URI "^/check\.txt$" dontlog
    CustomLog "logs/access.log" combined env=!dontlog
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/"
</IfModule>

<IfModule cgid_module>
</IfModule>

<Directory "/opt/jboss/httpd/htdocs/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>

<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)"
EnableWsTunnel

Listen XXXXXXXX:443
<VirtualHost *:443>
    ServerName XXXXXXXXXXXXXXX

    CreateBalancers 0

     <Location /mcm>
        AllowDisplay On
        SetHandler mod_cluster-manager
        Require ip 10.10
    </Location>

    <Location /check.txt>
       ProxyPass !
    </Location>

    SSLEngine on
    SSLProtocol  all -SSLv2
    SSLHonorCipherOrder on
    SSLCertificateFile /opt/mod_cluster-certs/CERT.pem
    SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem
    SSLCACertificateFile /opt/mod_cluster-certs/CA.pem
    SSLVerifyClient none

    ProxyPreserveHost On
    RequestHeader Set X-Forwarded-Proto "https"

</VirtualHost>

<IfModule manager_module>
  Listen XXXXXXXXX:6666
  <VirtualHost *:6666>
    ServerName XXXXXXXXXXXXXXXXX

    <Location />
     Require ip 10.10
    </Location>

    AllowDisplay On
    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    ServerAdvertise on
    AdvertiseFrequency 5
    AdvertiseGroup 224.0.1.205:24364<http://224.0.1.205:24364>
    EnableMCPMReceive
    ManagerBalancerName mycluster

    ProxyPreserveHost On
    RequestHeader Set X-Forwarded-Proto "https"

  </VirtualHost>
</IfModule>
------------------------ Apache Configuration ----------------------------


De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : lundi 24 octobre 2016 08:08
À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Is your proxy setting  X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header?

On 22 October 2016 at 13:19, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Hello,

I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster).

First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/

I think it's worth mention that :

*         Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment)

*         mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly

So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak.
Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed.

If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither.

Here a a snippet of my keycloak configuration :

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
                <server name="default-server">
                 <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/>
                    <https-listener name="https" enabled-protocols="TLSv1.2" security-realm="UndertowRealm" socket-binding="https"/>
                   [...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
                <mod-cluster-config advertise-socket="modcluster" connector="default">
                    <dynamic-load-provider>
                        <load-metric type="cpu"/>
                    </dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
        <socket-binding-group name="ha-sockets" default-interface="public">
            [...]
           <socket-binding name="proxy-https" port="443"/>
            [...]
        </socket-binding-group>
    </socket-binding-groups>

Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ?

Thanks for your help.

Vincent.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list