[keycloak-user] Keycloak & SSL - incorrect urls
John Bartko
john.bartko at drillinginfo.com
Tue May 23 11:17:08 EDT 2017
>From https://keycloak.gitbooks.io/documentation/server_installation/topics/clustering/load-balancer.html
On the Keycloak side:
/socket-binding-group=standard-sockets/socket-binding=proxy-https/:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
On the LB side:
- Must set X-Forwarded-For
- Must set X-Forwarded-Proto
- Must preserve Host header
AWS ELB/ALBs should do all of the above out of the box.
To verify from behind the LB, curl an endpoint that renders URIs (like OIDC config, or SAML descriptor):
curl -s -H 'Host: keycloak.example.org' -H 'X-Forwarded-For: 10.0.100.42' -H 'X-Forwarded-Proto: https' $(hostname -I | cut -f 1 -d ' '):8080/auth/realms/master/.well-known/openid-configuration | jq .issuer
"https://keycloak.example.org/auth/realms/master"
The URI should be rendered correctly. If access logging is enabled in the environment, the log entry should have recorded the request as coming from the IP listed in the X-Forwarded-For header.
Hope that helps,
-John Bartko
________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of John D. Ament <john.d.ament at gmail.com>
Sent: Tuesday, May 23, 2017 6:49:07 AM
To: keycloak-user
Subject: [keycloak-user] Keycloak & SSL - incorrect urls
Hi,
I have keycloak deployed behind an ELB and nginx, so its going ELB -> NGINX
-> KEYCLOAK. We do SSL termination at the ELB, so that the requests to
nginx and keycloak are actually HTTP calls. We've noticed that the
endpoint descriptors page (which provides an importable XML for a SAML
descriptor) is using HTTP urls, even though the public URL is an HTTPS url
(e.g. https://keycloak.mycompany.com)
Is there a configuration setting that would force keycloak to render HTTPS
urls?
John
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list