[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Vincent Sourin sourin-v at bridgestone-bae.com
Tue Oct 25 07:10:05 EDT 2016


Arf, yes my bad, I tried to sanitize the logs and missed this one …
I think the problem come from the missing headers.
I’ll investigate on this and keep you posted.

De : Stian Thorgersen [mailto:sthorger at redhat.com]
Envoyé : mardi 25 octobre 2016 12:35
À : Vincent Sourin <sourin-v at bridgestone-bae.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Did you do replace some values in what you pasted? In the second request it's also showing a strange value for Host:

header=Referer=https://as.mydomain.com/auth/
header=Host=as.bridgestone-bae.corp

Referrer is as.mydomain.com<http://as.mydomain.com>, but it's trying to get as.bridgestone-bae.corp. Then there's also missing X-Forwarded* headers yes.

On 25 October 2016 at 12:31, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Here is the captured packets dumped by Undertow.
Strangely, on the second request I don’t see X-Forwarded-* Header in the request.
I don’t think it’s normal ?

1/ First when browsing to https://as.mydomain.com/auth

==============================================================
2016-10-25 12:23:59,164 INFO  [io.undertow.request.dump] (default task-3)
----------------------------REQUEST---------------------------
               URI=/auth/
characterEncoding=null
     contentLength=-1
       contentType=null
            header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
            header=Accept-Encoding=gzip, deflate, br
            header=X-Forwarded-Server=webserver.mydomain.com<http://webserver.mydomain.com>
            header=Upgrade=WebSocket
            header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
            header=Connection=Upgrade
            header=X-Forwarded-Proto=https
            header=X-Forwarded-For=10.10.0.89
            header=Upgrade-Insecure-Requests=1
            header=Host=as.mydomain.com<http://as.mydomain.com>
            header=X-Forwarded-Host=as.mydomain.com<http://as.mydomain.com>
            locale=[fr, fr_FR, en_US, en]
            method=GET
          protocol=HTTP/1.1
       queryString=
        remoteAddr=10.10.0.89:0<http://10.10.0.89:0>
        remoteHost=10.10.0.89
            scheme=https
              host=as.mydomain.com<http://as.mydomain.com>
        serverPort=0
--------------------------RESPONSE--------------------------
     contentLength=2740
       contentType=text/html;charset=utf-8
            header=Cache-Control=no-cache, must-revalidate, no-transform, no-store
            header=X-Powered-By=Undertow/1
            header=Server=WildFly/10
            header=X-Frame-Options=SAMEORIGIN
            header=Content-Security-Policy=frame-src 'self'
            header=Date=Tue, 25 Oct 2016 10:23:59 GMT
            header=Connection=keep-alive
            header=X-Content-Type-Options=nosniff
            header=Content-Type=text/html;charset=utf-8
            header=Content-Length=2740
            status=200

2/ Then, when clicking the Administration console link on the auth page :

==============================================================
2016-10-25 12:24:11,069 INFO  [io.undertow.request.dump] (default task-4)
----------------------------REQUEST---------------------------
               URI=/auth/admin/
characterEncoding=null
     contentLength=-1
       contentType=null
            header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            header=Connection=keep-alive
            header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
            header=Accept-Encoding=gzip, deflate, br
            header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
            header=Referer=https://as.mydomain.com/auth/
            header=Upgrade-Insecure-Requests=1
            header=Host=as.bridgestone-bae.corp
            locale=[fr, fr_FR, en_US, en]
            method=GET
          protocol=HTTP/1.1
       queryString=
        remoteAddr=/10.10.2.134:47440<http://10.10.2.134:47440>
        remoteHost=webserver.mydomain.com<http://webserver.mydomain.com>
            scheme=http
              host=as.mydomain.com<http://as.mydomain.com>
        serverPort=18080
--------------------------RESPONSE--------------------------
     contentLength=0
       contentType=null
            header=Connection=keep-alive
            header=X-Powered-By=Undertow/1
            header=Server=WildFly/10
            header=Location=http://as.mydomain.com/auth/admin/master/console/
            header=Content-Length=0
            header=Date=Tue, 25 Oct 2016 10:24:11 GMT
            status=302

Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53<tel:%2B32%2065%2061%2011%2053> - Fax: +32 65 61 11 09<tel:%2B32%2065%2061%2011%2009>
GSM : +32 492 97 44 99<tel:%2B32%20492%2097%2044%2099>

De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : mardi 25 octobre 2016 11:59

À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Strange. I can't see why that should ever redirect to non-https. Can you capture the requests that are being sent after you click on the link to see where/when the redirect to non-https is coming into play?

On 25 October 2016 at 11:24, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:

No, it is the link <a href="admin/">Administration Console</a>
I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/

Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53<tel:%2B32%2065%2061%2011%2053> - Fax: +32 65 61 11 09<tel:%2B32%2065%2061%2011%2009>
GSM : +32 492 97 44 99<tel:%2B32%20492%2097%2044%2099>

De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : mardi 25 octobre 2016 10:38

À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

What specific link on the "welcome page" are you referring to? Is it the link in the text "You need local access to create the initial admin user. Open <a href="http://localhost:8080/auth">http://localhost:8080/auth</a> or use the add-user-keycloak script."?

On 25 October 2016 at 10:05, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
All the URLs at the given address contain https and  the reverse proxy hostname.

Sourin Vincent - Systems Engineer
Bridgestone Aircraft Tire (Europe)
Route de Bavay - B7080 Frameries (Belgium)
Tel: +32 65 61 11 53<tel:%2B32%2065%2061%2011%2053> - Fax: +32 65 61 11 09<tel:%2B32%2065%2061%2011%2009>
GSM : +32 492 97 44 99<tel:%2B32%20492%2097%2044%2099>

De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : mardi 25 octobre 2016 09:49

À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Try:

https://<hostname>/auth/realms/master/.well-known/openid-configuration<https://%3chostname%3e/auth/realms/master/.well-known/openid-configuration>

And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details.

On 24 October 2016 at 21:38, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Yes I think X-Forwarded-* Headers and preservation of original host are set.

Actually, I’m not really a « network » guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website.
I « tweak » the configuration to try to achieve SSL Termination and Websocket like this :

------------------------ Apache Configuration ----------------------------
ServerRoot "/opt/jboss/httpd/httpd"

LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so
[…]
LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so

<IfModule unixd_module>
User daemon
Group daemon
</IfModule>

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
<Directory "/opt/jboss/httpd/htdocs/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"
LogLevel  warn

<IfModule log_config_module>
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    SetEnvIf Request_URI "^/check\.txt$" dontlog
    CustomLog "logs/access.log" combined env=!dontlog
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/"
</IfModule>

<IfModule cgid_module>
</IfModule>

<Directory "/opt/jboss/httpd/htdocs/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>

<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)"
EnableWsTunnel

Listen XXXXXXXX:443
<VirtualHost *:443>
    ServerName XXXXXXXXXXXXXXX

    CreateBalancers 0

     <Location /mcm>
        AllowDisplay On
        SetHandler mod_cluster-manager
        Require ip 10.10
    </Location>

    <Location /check.txt>
       ProxyPass !
    </Location>

    SSLEngine on
    SSLProtocol  all -SSLv2
    SSLHonorCipherOrder on
    SSLCertificateFile /opt/mod_cluster-certs/CERT.pem
    SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem
    SSLCACertificateFile /opt/mod_cluster-certs/CA.pem
    SSLVerifyClient none

    ProxyPreserveHost On
    RequestHeader Set X-Forwarded-Proto "https"

</VirtualHost>

<IfModule manager_module>
  Listen XXXXXXXXX:6666
  <VirtualHost *:6666>
    ServerName XXXXXXXXXXXXXXXXX

    <Location />
     Require ip 10.10
    </Location>

    AllowDisplay On
    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    ServerAdvertise on
    AdvertiseFrequency 5
    AdvertiseGroup 224.0.1.205:24364<http://224.0.1.205:24364>
    EnableMCPMReceive
    ManagerBalancerName mycluster

    ProxyPreserveHost On
    RequestHeader Set X-Forwarded-Proto "https"

  </VirtualHost>
</IfModule>
------------------------ Apache Configuration ----------------------------


De : Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Envoyé : lundi 24 octobre 2016 08:08
À : Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Is your proxy setting  X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header?

On 22 October 2016 at 13:19, Vincent Sourin <sourin-v at bridgestone-bae.com<mailto:sourin-v at bridgestone-bae.com>> wrote:
Hello,

I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster).

First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/

I think it's worth mention that :

*         Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment)

*         mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly

So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak.
Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed.

If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither.

Here a a snippet of my keycloak configuration :

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
                <server name="default-server">
                 <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/>
                    <https-listener name="https" enabled-protocols="TLSv1.2" security-realm="UndertowRealm" socket-binding="https"/>
                   [...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
                <mod-cluster-config advertise-socket="modcluster" connector="default">
                    <dynamic-load-provider>
                        <load-metric type="cpu"/>
                    </dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
        <socket-binding-group name="ha-sockets" default-interface="public">
            [...]
           <socket-binding name="proxy-https" port="443"/>
            [...]
        </socket-binding-group>
    </socket-binding-groups>

Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ?

Thanks for your help.

Vincent.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user







More information about the keycloak-user mailing list