[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
Stian Thorgersen
sthorger at redhat.com
Tue Oct 25 05:58:34 EDT 2016
Strange. I can't see why that should ever redirect to non-https. Can you
capture the requests that are being sent after you click on the link to see
where/when the redirect to non-https is coming into play?
On 25 October 2016 at 11:24, Vincent Sourin <sourin-v at bridgestone-bae.com>
wrote:
> No, it is the link <a href="admin/">Administration Console</a>
>
> I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/
>
>
>
> Sourin Vincent - Systems Engineer
>
> Bridgestone Aircraft Tire (Europe)
>
> Route de Bavay - B7080 Frameries (Belgium)
>
> Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09
>
> GSM : +32 492 97 44 99
>
>
>
> *De :* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Envoyé :* mardi 25 octobre 2016 10:38
>
> *À :* Vincent Sourin <sourin-v at bridgestone-bae.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
>
>
>
> What specific link on the "welcome page" are you referring to? Is it the
> link in the text "You need local access to create the initial admin user.
> Open <a href="http://localhost:8080/auth">http://localhost:8080/auth</a>
> or use the add-user-keycloak script."?
>
>
>
> On 25 October 2016 at 10:05, Vincent Sourin <sourin-v at bridgestone-bae.com>
> wrote:
>
> All the URLs at the given address contain https and the reverse proxy
> hostname.
>
>
>
> Sourin Vincent - Systems Engineer
>
> Bridgestone Aircraft Tire (Europe)
>
> Route de Bavay - B7080 Frameries (Belgium)
>
> Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09
>
> GSM : +32 492 97 44 99
>
>
>
> *De :* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Envoyé :* mardi 25 octobre 2016 09:49
>
>
> *À :* Vincent Sourin <sourin-v at bridgestone-bae.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
>
>
>
> Try:
>
>
>
> https://<hostname>/auth/realms/master/.well-known/openid-configuration
>
>
>
> And check the URLs in the page. They should contain https and correct
> hostname (for your reverse proxy, not Keycloak). If not there's an issue
> with your reverse proxy or it's not configured correctly in Keycloak
> server. Check the installation guide for more details.
>
>
>
> On 24 October 2016 at 21:38, Vincent Sourin <sourin-v at bridgestone-bae.com>
> wrote:
>
> Yes I think X-Forwarded-* Headers and preservation of original host are
> set.
>
>
>
> Actually, I’m not really a « network » guy. So for testing purpose, I use
> the bundle (httpd + ssl ) provided on mod_cluster website.
>
> I « tweak » the configuration to try to achieve SSL Termination and
> Websocket like this :
>
>
>
> ------------------------ Apache Configuration ----------------------------
>
> ServerRoot "/opt/jboss/httpd/httpd"
>
>
>
> LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so
>
>
> […]
>
> LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/
> modules/mod_rewrite.so
>
>
>
> <IfModule unixd_module>
>
> User daemon
>
> Group daemon
>
> </IfModule>
>
>
>
> <Directory />
>
> AllowOverride none
>
> Require all denied
>
> </Directory>
>
>
>
> DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
>
> <Directory "/opt/jboss/httpd/htdocs/htdocs">
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> Require all granted
>
> </Directory>
>
>
>
> <IfModule dir_module>
>
> DirectoryIndex index.html
>
> </IfModule>
>
>
>
> <Files ".ht*">
>
> Require all denied
>
> </Files>
>
>
>
> ErrorLog "logs/error_log"
>
> LogLevel warn
>
>
>
> <IfModule log_config_module>
>
> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
>
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
>
> <IfModule logio_module>
>
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\" %I %O" combinedio
>
> </IfModule>
>
> SetEnvIf Request_URI "^/check\.txt$" dontlog
>
> CustomLog "logs/access.log" combined env=!dontlog
>
> </IfModule>
>
>
>
> <IfModule alias_module>
>
> ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/"
>
> </IfModule>
>
>
>
> <IfModule cgid_module>
>
> </IfModule>
>
>
>
> <Directory "/opt/jboss/httpd/htdocs/cgi-bin">
>
> AllowOverride None
>
> Options None
>
> Require all granted
>
> </Directory>
>
>
>
> <IfModule mime_module>
>
> TypesConfig conf/mime.types
>
> AddType application/x-compress .Z
>
> AddType application/x-gzip .gz .tgz
>
> </IfModule>
>
>
>
> <IfModule proxy_html_module>
>
> Include conf/extra/proxy-html.conf
>
> </IfModule>
>
>
>
> <IfModule ssl_module>
>
> SSLRandomSeed startup builtin
>
> SSLRandomSeed connect builtin
>
> </IfModule>
>
>
>
> MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
>
> SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/
> logs/ssl_gcache_data(512000)"
>
> EnableWsTunnel
>
>
>
> Listen XXXXXXXX:443
>
> <VirtualHost *:443>
>
> ServerName XXXXXXXXXXXXXXX
>
>
>
> CreateBalancers 0
>
>
>
> <Location /mcm>
>
> AllowDisplay On
>
> SetHandler mod_cluster-manager
>
> Require ip 10.10
>
> </Location>
>
>
>
> <Location /check.txt>
>
> ProxyPass !
>
> </Location>
>
>
>
> SSLEngine on
>
> SSLProtocol all -SSLv2
>
> SSLHonorCipherOrder on
>
> SSLCertificateFile /opt/mod_cluster-certs/CERT.pem
>
> SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem
>
> SSLCACertificateFile /opt/mod_cluster-certs/CA.pem
>
> SSLVerifyClient none
>
>
>
> ProxyPreserveHost On
>
> RequestHeader Set X-Forwarded-Proto "https"
>
>
>
> </VirtualHost>
>
>
>
> <IfModule manager_module>
>
> Listen XXXXXXXXX:6666
>
> <VirtualHost *:6666>
>
> ServerName XXXXXXXXXXXXXXXXX
>
>
>
> <Location />
>
> Require ip 10.10
>
> </Location>
>
>
>
> AllowDisplay On
>
> KeepAliveTimeout 300
>
> MaxKeepAliveRequests 0
>
> ServerAdvertise on
>
> AdvertiseFrequency 5
>
> AdvertiseGroup 224.0.1.205:24364
>
> EnableMCPMReceive
>
> ManagerBalancerName mycluster
>
>
>
> ProxyPreserveHost On
>
> RequestHeader Set X-Forwarded-Proto "https"
>
>
>
> </VirtualHost>
>
> </IfModule>
>
> ------------------------ Apache Configuration ----------------------------
>
>
>
>
>
> *De :* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Envoyé :* lundi 24 octobre 2016 08:08
> *À :* Vincent Sourin <sourin-v at bridgestone-bae.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster
>
>
>
> Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also
> preserving the preserving the original Host header?
>
>
>
> On 22 October 2016 at 13:19, Vincent Sourin <sourin-v at bridgestone-bae.com>
> wrote:
>
> Hello,
>
> I've got a strange behavior with Keycloak instance (version 2.2.1 Final)
> behind an Apache Reverse Proxy (with Mod_cluster).
>
> First of all, here is my test environment : https://postimg.org/image/
> z7xrb08ev/
>
> I think it's worth mention that :
>
> * Wildfly & keycloak are installed on the same servers but each in
> separate instances (not using overlay deployment)
>
> * mod_cluster is configured in http mode (not ajp) with
> mod_proxy_wstunnel activated because I use Websocket with wildfly
>
> So, in this configuration, applications deployed on wildfly instances work
> well but I got some problem with Keycloak.
> Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as
> soon as I click on the link < Aministration Console > (resolved normally to
> https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to
> plain http connection and so the request failed.
>
> If I browse directly to https://XXXXXXX/auth/admin/ my browser complains
> about < some insecured items on the page > and I can't reach the console
> neither.
>
> Here a a snippet of my keycloak configuration :
>
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
> <server name="default-server">
> <http-listener name="default" proxy-address-forwarding="true"
> socket-binding="http" redirect-socket="proxy-https"/>
> <https-listener name="https"
> enabled-protocols="TLSv1.2" security-realm="UndertowRealm"
> socket-binding="https"/>
> [...]
> </subsystem>
> [...]
> <subsystem xmlns="urn:jboss:domain:modcluster:2.0">
> <mod-cluster-config advertise-socket="modcluster"
> connector="default">
> <dynamic-load-provider>
> <load-metric type="cpu"/>
> </dynamic-load-provider>
> </mod-cluster-config>
> </subsystem>
> [...]
> <socket-binding-groups>
> <socket-binding-group name="ha-sockets" default-interface="public">
> [...]
> <socket-binding name="proxy-https" port="443"/>
> [...]
> </socket-binding-group>
> </socket-binding-groups>
>
> Can someone tell me what I'm doing wrong or give me the right direction to
> further investigate this behavior ?
>
> Thanks for your help.
>
> Vincent.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
More information about the keycloak-user
mailing list