[keycloak-user] Services behind a Proxy that offloads SSL
Malte Finsterwalder
inofi at gmx.net
Mon Dec 4 08:54:27 EST 2017
Thanks for your help!
That was the right track, but I use a differen Server.
I managed to configure something in my JBoss EAP 6 (JBoss AS 7) using the
following CLI to configure a Valve:
/subsystem=web/valve=RemoteIPValve/:add(module=org.jboss.as.web,
class-name=org.apache.catalina.valves.RemoteIpValve)
/subsystem=web/valve=RemoteIPValve:add-param(param-name=remoteIpHeader,param-value=x-forwarded-for)
/subsystem=web/valve=RemoteIPValve:add-param(param-name=protocolHeader,param-value=x-forwarded-proto)
/subsystem=web/valve=RemoteIPValve:add-param(param-name=protocolHeaderHttpsValue,param-value=https)
Greetings,
Malte
On 28 November 2017 at 15:22, Dmitry Telegin <mitya at cargosoft.ru> wrote:
> Malte,
>
> As the guys have already noticed, you need to make sure that your
> *service* is proxy-aware, i.e. it has to be configured to recognize htt
> ps://service.x.org as a legitimate external address.
>
> If your service is deployed to JBoss/Wildfly, you should do the
> following on the target server (not Keycloak):
>
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> <server
> name="default-server">
> <http-listener name="default"
>
> socket-binding="http"
> redirect-socket="https"
>
> proxy-address-forwarding="true"
> enable-
> http2="true"/>
> ...
> </server>
> ...
>
> </subsystem>
>
> Just FYI, for Tomcat/TomEE this is done like that:
>
> <Service name="Catalina">
>
> <Connector
> protocol="HTTP/1.1"
> port="8085"
> ...
> redirectPort="8443"
> scheme="https" secure="true"
> proxyName="service.x.org"
> proxyPort="443"
> />
> ....
> </Service>
>
> Also make sure that on a HAProxy side forwarding of X-Forwarded-*
> headers is turned on.
>
> Regards,
> Dmitry
>
> В Tue, 28/11/2017 в 13:28 +0100, Malte Finsterwalder пишет:
> > Thanks for this reference.
> > But it still doesn't solve my problem.
> > I see I need to describe a little more, what my setup is and what my
> > problem is.
> >
> > We use HAProxy.
> > I have one URL for my keycloak, say: https://keycloak.x.org
> > I have another URL for my service, say: https://service.x.org
> > These URLs go to HAProxy, which offloads SSL and then directs traffic
> > as
> > HTTP to the servers, which are run in a Kubernetes Cluster.
> >
> > My keycloak.json file stored in the service is as follow:
> >
> > {
> >
> > "realm": "myrealm",
> > "auth-server-url": "https://keycloak.x.org/auth",
> > "ssl-required": "all",
> > "resource": "my-client",
> > "principal-attribute": "preferred_username",
> > "public-client": true,
> > "truststore" : "/truststore.jks",
> > "truststore-password" : "mytruststorepassword"
> > }
> >
> > I open the service: "https://service.x.org/somepage" in my browser.
> > I get redirected to Keycloak for authentication with this URL:
> > https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/au
> > th?response_type=code&client_id=my-
> > client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=..
> > ..&login=true&scope=openid
> > Keycloak is accessed via https, as stated in the keycloak.json file.
> > But as you can see, the embedded redirect_uri is http, not https.
> > After Keycloak authenticated the user, keycloak issues a redirect to
> > http://service.x.org/somepage and not https://service.x.org/somepage
> > So after authentication my service is access via http and not https
> > anymore.
> >
> > Keycloaks standalone.xml is configured as described in the setup for
> > Apache2 you sent me:
> >
> > <subsystem xmlns="urn:jboss:domain:undertow:3.1">
> > <buffer-cache name="default"/>
> > <server name="default-server">
> > <http-listener proxy-address-forwarding="true"
> > name="default"
> > socket-binding="http"
> > redirect-socket="https"/>
> > <host name="default-host" alias="localhost">
> > <location name="/" handler="welcome-content"/>
> > <filter-ref name="server-header"/>
> > <filter-ref name="x-powered-by-header"/>
> > </host>
> > </server>
> > <servlet-container name="default">
> > <jsp-config/>
> > <websockets/>
> > </servlet-container>
> > <handlers>
> > <file name="welcome-content"
> > path="${jboss.home.dir}/welcome-content"/>
> > </handlers>
> > <filters>
> > <response-header name="server-header" header-
> > name="Server"
> > header-value="JBoss-EAP/7"/>
> > <response-header name="x-powered-by-header"
> > header-name="X-Powered-By" header-value="Undertow/1"/>
> > </filters>
> > </subsystem>
> >
> >
> > <socket-binding-group name="standard-sockets"
> > default-interface="public"
> > port-offset="${jboss.socket.binding.port-offset:0}">
> > ....
> > <socket-binding name="https"
> > port="${jboss.https.port:8443}"/>
> > ....
> > </socket-binding-group>
> >
> > Does that make things clearer?
> >
> > What am I missing?!
> >
> > Thanks for your help,
> > Malte
> >
> > On 28 November 2017 at 11:07, Matthew Broadhead <
> > matthew.broadhead at nbmlaw.co.uk> wrote:
> >
> > > which proxy are you using? this guide helped me proxy behind
> > > apache2
> > > http://markus.co/howto/2017/07/27/keycloak-apache.html
> > >
> > > On 28/11/2017 10:57, Malte Finsterwalder wrote:
> > > > Thanks for your help, but I can't find anything helpfull in the
> > > > docs. I
> > > > scanned the complete documentation and read a lot of it.
> > > > Could you point me to a particular chapter?
> > > >
> > > > To clarify: I don't have a problem with Keycloak being behind a
> > > > proxy,
> > >
> > > that
> > > > offloads SSL.
> > > >
> > > > I have a problem with the service being behind a proxy. The
> > > > service
> > >
> > > itself
> > > > is access via HTTP, since SSL is offloaded on the Proxy.
> > > > The client adapter then creates a redirect URL as HTTP, not HTTPS
> > > > and
> > > > passes that to Keycloak. So when Keycloak redirects back to the
> > > > service,
> > >
> > > it
> > > > uses the HTTP URL provided by the client adapter, which is
> > > > "wrong".
> > > >
> > > > Thanks,
> > > > Malte
> > > >
> > > > On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.c
> > > > om>
> > >
> > > wrote:
> > > >
> > > > > Read the docs. There's a section on how to configure Keycloak
> > > > > properly
> > > > > when you're using a reverse proxy
> > > > >
> > > > > On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.ne
> > > > > t>
> > >
> > > wrote:
> > > > >
> > > > > > Hi there,
> > > > > >
> > > > > > I have a service running in a JBoss server, that I want to
> > > > > > secure via
> > >
> > > the
> > > > > > keycloak adapter.
> > > > > > The server is behind a proxy, that offloads SSL, so the
> > > > > > server itself
> > >
> > > gets
> > > > > > traffic as http.
> > > > > > When the server redirects to keycloak for authentication, the
> > > > > > redirect
> > >
> > > URL
> > > > > > supplied to keycloak is http, not https. How can I ensure,
> > > > > > that a
> > >
> > > redirect
> > > > > > URL is an https URL?
> > > > > >
> > > > > > Greetings,
> > > > > > Malte
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list