[keycloak-user] Getting the client-IP behind a reverse proxy with HTTPS
Stuart Auchterlonie
stuarta at squashedfrog.net
Fri Jan 13 03:56:00 EST 2017
On 13/01/17 07:35, Stian Thorgersen wrote:
> FIY I don't think Keycloak (WildFly) looks at X-Real-IP, but rather
> it'll use X-Forwarded-For
Most things use X-Forwarded-For, this is just my standard proxy
config snippet which I use for everything
I would try without it to start with and see how you get on.
Regards
Stuart
>
> On 12 January 2017 at 14:09, Stuart Auchterlonie
> <stuarta at squashedfrog.net <mailto:stuarta at squashedfrog.net>> wrote:
>
> Hi,
>
>
> I set the following headers with nginx and it works just fine.
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $remote_addr;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-Proto $scheme;
>
> it might be because you are trying to use add_header
> rather than proxy_set_header.
>
>
> Regards
> Stuart
>
>
> On 11/01/17 18:46, Bruno Oliveira wrote:
> > I never tried it with Keycloak, it may or may not work. But you
> can try to set
> > on nginx 'set_real_ip_from' with 'real_ip_header'[1].
> >
> > [1] -
> http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
> <http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header>
> >
> > On 2017-01-10, Olivier Bruylandt wrote:
> >> Dear,
> >>
> >>
> >> I get an issue to get the wanted behavior when retrieving the
> client public
> >> IP.
> >> This is the situation :
> >> (all IP's have been anonymized)
> >>
> >>
> >>
> >> - *infrastructure level*:
> >>
> >> ----------- Reverse Proxy NGINX
> ----------------------------------- KeyCloak
> >>
> >> RP is listening on ports 80 & 443 (80 is redirected to 443)
> >> There is a public certificate signed by some external CA
> >> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> >> Keycloak is set as standalone server on a Wildfly last version
> >>
> >>
> >>
> >>
> >> - *Nginx config*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> *server { listen 443; server_name ************;
> >> fastcgi_param HTTPS on; location / { add_header
> >> X-Cache-Status $upstream_cache_status; add_header
> X-Real-IP
> >> $remote_addr; add_header X-Forwarded-For
> $remote_addr;
> >> add_header X-Forwarded-Proto $scheme;
> >> more_set_headers 'Server: ******'; more_clear_headers
> >> 'X-Powered-By'; charset UTF-8;
> proxy_cache
> >> ******_cache; proxy_pass https://1.1.1.1:8443/
> >> <https://1.1.1.1:8443/>; }*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> * ssl on; ssl_certificate
> /etc/ssl/private/**********.crt;
> >> ssl_certificate_key /etc/ssl/private/*************.key;
> >> ssl_prefer_server_ciphers on; ssl_dhparam
> /etc/ssl/***********.pem;
> >> ssl_protocols TLSv1.1 TLSv1.2; ssl_stapling on;
> >> ssl_session_cache builtin:1000 shared:SSL:10m; add_header
> >> Strict-Transport-Security "max-age=63072000; includeSubdomains;
> preload";
> >> add_header X-Frame-Options "DENY"; ssl_ciphers
> >> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
> >>
> >>
> >>
> >>
> >> - *Keycloak config* :
> >>
> >>
> >> * <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> >> * <buffer-cache name="default"/>*
> >> * <server name="default-server">*
> >>
> >> * <http-listener
> >> name="default" proxy-address-forwarding="true"
> socket-binding="http"/>*
> >> * <https-listener name="https"
> security-realm="**********"
> >> socket-binding="https"/>*
> >> * <host name="default-host" alias="localhost">*
> >> * <location name="/" handler="welcome-content"/>*
> >> * </host>*
> >> * </server>*
> >> * <servlet-container name="default">*
> >> * <jsp-config/>*
> >> * <websockets/>*
> >> * </servlet-container>*
> >> * <handlers>*
> >> * <file name="welcome-content"
> >> path="${jboss.home.dir}/welcome-content"/>*
> >> * </handlers>*
> >> * </subsystem>*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> The situation is that everything is working fine and smooth
> EXCEPT ... the
> >> fact that under sessions (and moreover for all user activities),
> the user
> >> IP I see is the one of the reverse proxy !!
> >> As I put in red in the KC config, this is what should do the
> trick to use
> >> the X-Forwarded-For header value to set the client's IP.
> >>
> >> 15:07:55,104 WARN [org.keycloak.events] (default task-19)
> >> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> >> ipAddress=2.2.2.2, (...)
> >>
> >>
> >>
> >> When I tried to reach KC on the 8080 (HTTP) listener (so the RP
> terminates
> >> the SSL connection and the one to KC server is made in HTTP), I got
> >> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> >> transport and also a HTTP connection towards the external social
> identity
> >> providers like Google, FB, etc. ... BUT I got at least the real
> IP as you
> >> might see hereunder :
> >>
> >> 15:09:24,068 WARN [org.keycloak.events] (default task-29)
> >> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> >> ipAddress=191.21.133.234, (...)
> >>
> >>
> >>
> >>
> >>
> >> So the situation is that I will only get the "real" IP of the
> client only
> >> if it passes through the HTTP listener of KC (that has the parameter
> >> "proxy-address-forwarding") which is not what I want as I want to
> reach the
> >> HTTPS listener.
> >> I obviously also tried to add the same parameter
> (*proxy-address-forwarding
> >> = "true"*) in the HTTPS listener configuration but then,
> standalone.sh
> >> shows an error and refuses to start :
> >>
> >>
> >> *14:24:30,621 INFO [org.jboss.modules] (main) JBoss Modules version
> >> 1.5.1.Final*
> >> *14:24:30,821 INFO [org.jboss.msc] (main) JBoss MSC version
> 1.2.6.Final*
> >> *14:24:30,888 INFO [org.jboss.as <http://org.jboss.as>
> <http://org.jboss.as/>] (MSC service
> >> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core
> 2.0.10.Final)
> >> starting*
> >> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> >> WFLYSRV0055: Caught exception during boot:
> >>
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> >> WFLYCTL0085:
> >> Failed to parse configuration*
> >> * at
> >>
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
> >> * at
> org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> >> * at
> >>
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
> >> * at java.lang.Thread.run(Thread.java:745)*
> >> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> >> [row,col]:[380,17]*
> >> *Message: WFLYCTL0376: Unexpected attribute
> 'proxy-address-forwarding'
> >> encountered. Valid attributes are: 'socket-binding, worker,
> buffer-pool,
> >> enabled, resolve-peer-address, security-realm, verify-client,
> >> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> >> ssl-session-cache-size, ssl-session-timeout, max-header-size,
> >> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> >> max-cookies, allow-encoded-slash, decode-url, url-charset,
> >> always-set-keep-alive, max-buffered-request-size,
> >> record-request-start-time, allow-equals-in-cookie-value,
> >> no-request-timeout, request-parse-timeout, disallowed-methods,
> tcp-backlog,
> >> receive-buffer, send-buffer, tcp-keep-alive, read-timeout,
> write-timeout,
> >> max-connections, secure'*
> >> * at
> >>
> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
> >>
> >>
> >>
> >>
> >>
> >> *requirements* :
> >>
> >> - Entire solution has to run with SSL (HTTPS) from end to end
> >>
> >>
> >>
> >> Did someone already faced that situation or does have any clue
> about this ?
> >> Thank you for reading this post.
> >>
> >> Regards,
> >>
> >>
> >> /Olivier
> >>
> >> On 10 January 2017 at 11:52, Olivier Bruylandt
> <olivier.bruylandt at gmail.com <mailto:olivier.bruylandt at gmail.com>>
> >> wrote:
> >>
> >>> Dear,
> >>>
> >>>
> >>> I get an issue to get the wanted behavior when retrieving the client
> >>> public IP.
> >>> This is the situation :
> >>> (all IP's have been anonymized)
> >>>
> >>>
> >>>
> >>> - *infrastructure level*:
> >>>
> >>> ----------- Reverse Proxy NGINX -----------------------------------
> >>> KeyCloak
> >>>
> >>> RP is listening on ports 80 & 443 (80 is redirected to 443)
> >>> There is a public certificate signed by some external CA
> >>> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> >>> Keycloak is set as standalone server on a Wildfly last version
> >>>
> >>>
> >>>
> >>>
> >>> - *Nginx config*
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> *server { listen 443; server_name ************;
> >>> fastcgi_param HTTPS on; location / {
> add_header
> >>> X-Cache-Status $upstream_cache_status; add_header
> X-Real-IP
> >>> $remote_addr; add_header X-Forwarded-For
> $remote_addr;
> >>> add_header X-Forwarded-Proto $scheme;
> >>> more_set_headers 'Server: ******'; more_clear_headers
> >>> 'X-Powered-By'; charset UTF-8;
> proxy_cache
> >>> ******_cache; proxy_pass https://1.1.1.1:8443/
> >>> <https://1.1.1.1:8443/>; }*
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> * ssl on; ssl_certificate
> /etc/ssl/private/**********.crt;
> >>> ssl_certificate_key /etc/ssl/private/*************.key;
> >>> ssl_prefer_server_ciphers on; ssl_dhparam
> /etc/ssl/***********.pem;
> >>> ssl_protocols TLSv1.1 TLSv1.2; ssl_stapling on;
> >>> ssl_session_cache builtin:1000 shared:SSL:10m; add_header
> >>> Strict-Transport-Security "max-age=63072000; includeSubdomains;
> preload";
> >>> add_header X-Frame-Options "DENY"; ssl_ciphers
> >>> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
> >>>
> >>>
> >>>
> >>>
> >>> - *Keycloak config* :
> >>>
> >>>
> >>> * <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> >>> * <buffer-cache name="default"/>*
> >>> * <server name="default-server">*
> >>>
> >>> * <http-listener
> >>> name="default" proxy-address-forwarding="true"
> socket-binding="http"/>*
> >>> * <https-listener name="https"
> security-realm="**********"
> >>> socket-binding="https"/>*
> >>> * <host name="default-host" alias="localhost">*
> >>> * <location name="/" handler="welcome-content"/>*
> >>> * </host>*
> >>> * </server>*
> >>> * <servlet-container name="default">*
> >>> * <jsp-config/>*
> >>> * <websockets/>*
> >>> * </servlet-container>*
> >>> * <handlers>*
> >>> * <file name="welcome-content"
> >>> path="${jboss.home.dir}/welcome-content"/>*
> >>> * </handlers>*
> >>> * </subsystem>*
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> The situation is that everything is working fine and smooth
> EXCEPT ... the
> >>> fact that under sessions (and moreover for all user activities),
> the user
> >>> IP I see is the one of the reverse proxy !!
> >>> As I put in red in the KC config, this is what should do the
> trick to use
> >>> the X-Forwarded-For header value to set the client's IP.
> >>>
> >>> 15:07:55,104 WARN [org.keycloak.events] (default task-19)
> >>> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account,
> userId=null,
> >>> ipAddress=2.2.2.2, (...)
> >>>
> >>>
> >>>
> >>> When I tried to reach KC on the 8080 (HTTP) listener (so the RP
> terminates
> >>> the SSL connection and the one to KC server is made in HTTP), I got
> >>> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> >>> transport and also a HTTP connection towards the external social
> identity
> >>> providers like Google, FB, etc. ... BUT I got at least the real
> IP as you
> >>> might see hereunder :
> >>>
> >>> 15:09:24,068 WARN [org.keycloak.events] (default task-29)
> >>> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> >>> ipAddress=191.21.133.234, (...)
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> So the situation is that I will only get the "real" IP of the
> client only
> >>> if it passes through the HTTP listener of KC (that has the parameter
> >>> "proxy-address-forwarding") which is not what I want as I want
> to reach the
> >>> HTTPS listener.
> >>> I obviously also tried to add the same parameter
> (*proxy-address-forwarding
> >>> = "true"*) in the HTTPS listener configuration but then,
> standalone.sh
> >>> shows an error and refuses to start :
> >>>
> >>>
> >>> *14:24:30,621 INFO [org.jboss.modules] (main) JBoss Modules version
> >>> 1.5.1.Final*
> >>> *14:24:30,821 INFO [org.jboss.msc] (main) JBoss MSC version
> 1.2.6.Final*
> >>> *14:24:30,888 INFO [org.jboss.as <http://org.jboss.as>
> <http://org.jboss.as/>] (MSC service
> >>> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core
> 2.0.10.Final)
> >>> starting*
> >>> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> >>> WFLYSRV0055: Caught exception during boot:
> >>>
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085:
> >>> Failed to parse configuration*
> >>> * at
> >>>
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
> >>> * at
> org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> >>> * at
> >>>
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
> >>> * at java.lang.Thread.run(Thread.java:745)*
> >>> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> >>> [row,col]:[380,17]*
> >>> *Message: WFLYCTL0376: Unexpected attribute
> 'proxy-address-forwarding'
> >>> encountered. Valid attributes are: 'socket-binding, worker,
> buffer-pool,
> >>> enabled, resolve-peer-address, security-realm, verify-client,
> >>> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> >>> ssl-session-cache-size, ssl-session-timeout, max-header-size,
> >>> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> >>> max-cookies, allow-encoded-slash, decode-url, url-charset,
> >>> always-set-keep-alive, max-buffered-request-size,
> >>> record-request-start-time, allow-equals-in-cookie-value,
> >>> no-request-timeout, request-parse-timeout, disallowed-methods,
> tcp-backlog,
> >>> receive-buffer, send-buffer, tcp-keep-alive, read-timeout,
> write-timeout,
> >>> max-connections, secure'*
> >>> * at
> >>>
> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> *requirements* :
> >>>
> >>> - Entire solution has to run with SSL (HTTPS) from end to end
> >>>
> >>>
> >>>
> >>> Did someone already faced that situation or does have any clue
> about this ?
> >>> Thank you for reading this post.
> >>>
> >>> Regards,
> >>>
> >>>
> >>> /Olivier
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> > --
> >
> > abstractj
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
More information about the keycloak-user
mailing list