[keycloak-user] Getting the client-IP behind a reverse proxy with HTTPS
Stuart Auchterlonie
stuarta at squashedfrog.net
Thu Jan 12 08:09:58 EST 2017
Hi,
I set the following headers with nginx and it works just fine.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
it might be because you are trying to use add_header
rather than proxy_set_header.
Regards
Stuart
On 11/01/17 18:46, Bruno Oliveira wrote:
> I never tried it with Keycloak, it may or may not work. But you can try to set
> on nginx 'set_real_ip_from' with 'real_ip_header'[1].
>
> [1] - http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
>
> On 2017-01-10, Olivier Bruylandt wrote:
>> Dear,
>>
>>
>> I get an issue to get the wanted behavior when retrieving the client public
>> IP.
>> This is the situation :
>> (all IP's have been anonymized)
>>
>>
>>
>> - *infrastructure level*:
>>
>> ----------- Reverse Proxy NGINX ----------------------------------- KeyCloak
>>
>> RP is listening on ports 80 & 443 (80 is redirected to 443)
>> There is a public certificate signed by some external CA
>> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
>> Keycloak is set as standalone server on a Wildfly last version
>>
>>
>>
>>
>> - *Nginx config*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *server { listen 443; server_name ************;
>> fastcgi_param HTTPS on; location / { add_header
>> X-Cache-Status $upstream_cache_status; add_header X-Real-IP
>> $remote_addr; add_header X-Forwarded-For $remote_addr;
>> add_header X-Forwarded-Proto $scheme;
>> more_set_headers 'Server: ******'; more_clear_headers
>> 'X-Powered-By'; charset UTF-8; proxy_cache
>> ******_cache; proxy_pass https://1.1.1.1:8443/
>> <https://1.1.1.1:8443/>; }*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> * ssl on; ssl_certificate /etc/ssl/private/**********.crt;
>> ssl_certificate_key /etc/ssl/private/*************.key;
>> ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/***********.pem;
>> ssl_protocols TLSv1.1 TLSv1.2; ssl_stapling on;
>> ssl_session_cache builtin:1000 shared:SSL:10m; add_header
>> Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
>> add_header X-Frame-Options "DENY"; ssl_ciphers
>> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>>
>>
>>
>>
>> - *Keycloak config* :
>>
>>
>> * <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
>> * <buffer-cache name="default"/>*
>> * <server name="default-server">*
>>
>> * <http-listener
>> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
>> * <https-listener name="https" security-realm="**********"
>> socket-binding="https"/>*
>> * <host name="default-host" alias="localhost">*
>> * <location name="/" handler="welcome-content"/>*
>> * </host>*
>> * </server>*
>> * <servlet-container name="default">*
>> * <jsp-config/>*
>> * <websockets/>*
>> * </servlet-container>*
>> * <handlers>*
>> * <file name="welcome-content"
>> path="${jboss.home.dir}/welcome-content"/>*
>> * </handlers>*
>> * </subsystem>*
>>
>>
>>
>>
>>
>>
>>
>> The situation is that everything is working fine and smooth EXCEPT ... the
>> fact that under sessions (and moreover for all user activities), the user
>> IP I see is the one of the reverse proxy !!
>> As I put in red in the KC config, this is what should do the trick to use
>> the X-Forwarded-For header value to set the client's IP.
>>
>> 15:07:55,104 WARN [org.keycloak.events] (default task-19)
>> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
>> ipAddress=2.2.2.2, (...)
>>
>>
>>
>> When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
>> the SSL connection and the one to KC server is made in HTTP), I got
>> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
>> transport and also a HTTP connection towards the external social identity
>> providers like Google, FB, etc. ... BUT I got at least the real IP as you
>> might see hereunder :
>>
>> 15:09:24,068 WARN [org.keycloak.events] (default task-29)
>> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
>> ipAddress=191.21.133.234, (...)
>>
>>
>>
>>
>>
>> So the situation is that I will only get the "real" IP of the client only
>> if it passes through the HTTP listener of KC (that has the parameter
>> "proxy-address-forwarding") which is not what I want as I want to reach the
>> HTTPS listener.
>> I obviously also tried to add the same parameter (*proxy-address-forwarding
>> = "true"*) in the HTTPS listener configuration but then, standalone.sh
>> shows an error and refuses to start :
>>
>>
>> *14:24:30,621 INFO [org.jboss.modules] (main) JBoss Modules version
>> 1.5.1.Final*
>> *14:24:30,821 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
>> *14:24:30,888 INFO [org.jboss.as <http://org.jboss.as/>] (MSC service
>> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
>> starting*
>> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
>> WFLYSRV0055: Caught exception during boot:
>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>> WFLYCTL0085:
>> Failed to parse configuration*
>> * at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
>> * at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
>> * at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
>> * at java.lang.Thread.run(Thread.java:745)*
>> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
>> [row,col]:[380,17]*
>> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
>> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
>> enabled, resolve-peer-address, security-realm, verify-client,
>> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
>> ssl-session-cache-size, ssl-session-timeout, max-header-size,
>> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
>> max-cookies, allow-encoded-slash, decode-url, url-charset,
>> always-set-keep-alive, max-buffered-request-size,
>> record-request-start-time, allow-equals-in-cookie-value,
>> no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
>> receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
>> max-connections, secure'*
>> * at
>> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
>>
>>
>>
>>
>>
>> *requirements* :
>>
>> - Entire solution has to run with SSL (HTTPS) from end to end
>>
>>
>>
>> Did someone already faced that situation or does have any clue about this ?
>> Thank you for reading this post.
>>
>> Regards,
>>
>>
>> /Olivier
>>
>> On 10 January 2017 at 11:52, Olivier Bruylandt <olivier.bruylandt at gmail.com>
>> wrote:
>>
>>> Dear,
>>>
>>>
>>> I get an issue to get the wanted behavior when retrieving the client
>>> public IP.
>>> This is the situation :
>>> (all IP's have been anonymized)
>>>
>>>
>>>
>>> - *infrastructure level*:
>>>
>>> ----------- Reverse Proxy NGINX -----------------------------------
>>> KeyCloak
>>>
>>> RP is listening on ports 80 & 443 (80 is redirected to 443)
>>> There is a public certificate signed by some external CA
>>> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
>>> Keycloak is set as standalone server on a Wildfly last version
>>>
>>>
>>>
>>>
>>> - *Nginx config*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *server { listen 443; server_name ************;
>>> fastcgi_param HTTPS on; location / { add_header
>>> X-Cache-Status $upstream_cache_status; add_header X-Real-IP
>>> $remote_addr; add_header X-Forwarded-For $remote_addr;
>>> add_header X-Forwarded-Proto $scheme;
>>> more_set_headers 'Server: ******'; more_clear_headers
>>> 'X-Powered-By'; charset UTF-8; proxy_cache
>>> ******_cache; proxy_pass https://1.1.1.1:8443/
>>> <https://1.1.1.1:8443/>; }*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> * ssl on; ssl_certificate /etc/ssl/private/**********.crt;
>>> ssl_certificate_key /etc/ssl/private/*************.key;
>>> ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/***********.pem;
>>> ssl_protocols TLSv1.1 TLSv1.2; ssl_stapling on;
>>> ssl_session_cache builtin:1000 shared:SSL:10m; add_header
>>> Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
>>> add_header X-Frame-Options "DENY"; ssl_ciphers
>>> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>>>
>>>
>>>
>>>
>>> - *Keycloak config* :
>>>
>>>
>>> * <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
>>> * <buffer-cache name="default"/>*
>>> * <server name="default-server">*
>>>
>>> * <http-listener
>>> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
>>> * <https-listener name="https" security-realm="**********"
>>> socket-binding="https"/>*
>>> * <host name="default-host" alias="localhost">*
>>> * <location name="/" handler="welcome-content"/>*
>>> * </host>*
>>> * </server>*
>>> * <servlet-container name="default">*
>>> * <jsp-config/>*
>>> * <websockets/>*
>>> * </servlet-container>*
>>> * <handlers>*
>>> * <file name="welcome-content"
>>> path="${jboss.home.dir}/welcome-content"/>*
>>> * </handlers>*
>>> * </subsystem>*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> The situation is that everything is working fine and smooth EXCEPT ... the
>>> fact that under sessions (and moreover for all user activities), the user
>>> IP I see is the one of the reverse proxy !!
>>> As I put in red in the KC config, this is what should do the trick to use
>>> the X-Forwarded-For header value to set the client's IP.
>>>
>>> 15:07:55,104 WARN [org.keycloak.events] (default task-19)
>>> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
>>> ipAddress=2.2.2.2, (...)
>>>
>>>
>>>
>>> When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
>>> the SSL connection and the one to KC server is made in HTTP), I got
>>> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
>>> transport and also a HTTP connection towards the external social identity
>>> providers like Google, FB, etc. ... BUT I got at least the real IP as you
>>> might see hereunder :
>>>
>>> 15:09:24,068 WARN [org.keycloak.events] (default task-29)
>>> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
>>> ipAddress=191.21.133.234, (...)
>>>
>>>
>>>
>>>
>>>
>>> So the situation is that I will only get the "real" IP of the client only
>>> if it passes through the HTTP listener of KC (that has the parameter
>>> "proxy-address-forwarding") which is not what I want as I want to reach the
>>> HTTPS listener.
>>> I obviously also tried to add the same parameter (*proxy-address-forwarding
>>> = "true"*) in the HTTPS listener configuration but then, standalone.sh
>>> shows an error and refuses to start :
>>>
>>>
>>> *14:24:30,621 INFO [org.jboss.modules] (main) JBoss Modules version
>>> 1.5.1.Final*
>>> *14:24:30,821 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
>>> *14:24:30,888 INFO [org.jboss.as <http://org.jboss.as/>] (MSC service
>>> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
>>> starting*
>>> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>> WFLYSRV0055: Caught exception during boot:
>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085:
>>> Failed to parse configuration*
>>> * at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
>>> * at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
>>> * at
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
>>> * at java.lang.Thread.run(Thread.java:745)*
>>> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
>>> [row,col]:[380,17]*
>>> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
>>> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
>>> enabled, resolve-peer-address, security-realm, verify-client,
>>> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
>>> ssl-session-cache-size, ssl-session-timeout, max-header-size,
>>> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
>>> max-cookies, allow-encoded-slash, decode-url, url-charset,
>>> always-set-keep-alive, max-buffered-request-size,
>>> record-request-start-time, allow-equals-in-cookie-value,
>>> no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
>>> receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
>>> max-connections, secure'*
>>> * at
>>> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
>>>
>>>
>>>
>>>
>>>
>>> *requirements* :
>>>
>>> - Entire solution has to run with SSL (HTTPS) from end to end
>>>
>>>
>>>
>>> Did someone already faced that situation or does have any clue about this ?
>>> Thank you for reading this post.
>>>
>>> Regards,
>>>
>>>
>>> /Olivier
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list