[keycloak-user] Services behind a Proxy that offloads SSL

Dmitry Telegin mitya at cargosoft.ru
Tue Nov 28 09:22:38 EST 2017 

Malte,

As the guys have already noticed, you need to make sure that your
*service* is proxy-aware, i.e. it has to be configured to recognize htt
ps://service.x.org as a legitimate external address.

If your service is deployed to JBoss/Wildfly, you should do the
following on the target server (not Keycloak):

    <subsystem xmlns="urn:jboss:domain:undertow:4.0">
        <server
name="default-server">
            <http-listener name="default"
        
       socket-binding="http"
                redirect-socket="https"
    
           proxy-address-forwarding="true"
                enable-
http2="true"/>
            ...
        </server>
        ...
   
</subsystem>

Just FYI, for Tomcat/TomEE this is done like that:

    <Service name="Catalina">

        <Connector
            protocol="HTTP/1.1"
            port="8085"
            ...
            redirectPort="8443"
            scheme="https" secure="true"
            proxyName="service.x.org"
            proxyPort="443"
            />
        ....
    </Service>

Also make sure that on a HAProxy side forwarding of X-Forwarded-*
headers is turned on.

Regards,
Dmitry

В Tue, 28/11/2017 в 13:28 +0100, Malte Finsterwalder пишет:
> Thanks for this reference.
> But it still doesn't solve my problem.
> I see I need to describe a little more, what my setup is and what my
> problem is.
> 
> We use HAProxy.
> I have one URL for my keycloak, say: https://keycloak.x.org
> I have another URL for my service, say: https://service.x.org
> These URLs go to HAProxy, which offloads SSL and then directs traffic
> as
> HTTP to the servers, which are run in a Kubernetes Cluster.
> 
> My keycloak.json file stored in the service is as follow:
> 
> {
> 
>   "realm": "myrealm",
>   "auth-server-url": "https://keycloak.x.org/auth",
>   "ssl-required": "all",
>   "resource": "my-client",
>   "principal-attribute": "preferred_username",
>   "public-client": true,
>   "truststore" : "/truststore.jks",
>   "truststore-password" : "mytruststorepassword"
> }
> 
> I open the service: "https://service.x.org/somepage" in my browser.
> I get redirected to Keycloak for authentication with this URL:
> https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/au
> th?response_type=code&client_id=my-
> client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=..
> ..&login=true&scope=openid
> Keycloak is accessed via https, as stated in the keycloak.json file.
> But as you can see, the embedded redirect_uri is http, not https.
> After Keycloak authenticated the user, keycloak issues a redirect to
> http://service.x.org/somepage and not https://service.x.org/somepage
> So after authentication my service is access via http and not https
> anymore.
> 
> Keycloaks standalone.xml is configured as described in the setup for
> Apache2 you sent me:
> 
>         <subsystem xmlns="urn:jboss:domain:undertow:3.1">
>             <buffer-cache name="default"/>
>             <server name="default-server">
>                 <http-listener proxy-address-forwarding="true"
> name="default"
>                            socket-binding="http"
>                            redirect-socket="https"/>
>                 <host name="default-host" alias="localhost">
>                     <location name="/" handler="welcome-content"/>
>                     <filter-ref name="server-header"/>
>                     <filter-ref name="x-powered-by-header"/>
>                 </host>
>             </server>
>             <servlet-container name="default">
>                 <jsp-config/>
>                 <websockets/>
>             </servlet-container>
>             <handlers>
>                 <file name="welcome-content"
> path="${jboss.home.dir}/welcome-content"/>
>             </handlers>
>             <filters>
>                 <response-header name="server-header" header-
> name="Server"
> header-value="JBoss-EAP/7"/>
>                 <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Undertow/1"/>
>             </filters>
>         </subsystem>
> 
> 
>     <socket-binding-group name="standard-sockets"
> default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:0}">
>         ....
>         <socket-binding name="https"
> port="${jboss.https.port:8443}"/>
>         ....
>     </socket-binding-group>
> 
> Does that make things clearer?
> 
> What am I missing?!
> 
> Thanks for your help,
>    Malte
> 
> On 28 November 2017 at 11:07, Matthew Broadhead <
> matthew.broadhead at nbmlaw.co.uk> wrote:
> 
> > which proxy are you using?  this guide helped me proxy behind
> > apache2
> > http://markus.co/howto/2017/07/27/keycloak-apache.html
> > 
> > On 28/11/2017 10:57, Malte Finsterwalder wrote:
> > > Thanks for your help, but I can't find anything helpfull in the
> > > docs. I
> > > scanned the complete documentation and read a lot of it.
> > > Could you point me to a particular chapter?
> > > 
> > > To clarify: I don't have a problem with Keycloak being behind a
> > > proxy,
> > 
> > that
> > > offloads SSL.
> > > 
> > > I have a problem with the service being behind a proxy. The
> > > service
> > 
> > itself
> > > is access via HTTP, since SSL is offloaded on the Proxy.
> > > The client adapter then creates a redirect URL as HTTP, not HTTPS
> > > and
> > > passes that to Keycloak. So when Keycloak redirects back to the
> > > service,
> > 
> > it
> > > uses the HTTP URL provided by the client adapter, which is
> > > "wrong".
> > > 
> > > Thanks,
> > >     Malte
> > > 
> > > On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.c
> > > om>
> > 
> > wrote:
> > > 
> > > > Read the docs. There's a section on how to configure Keycloak
> > > > properly
> > > > when you're using a reverse proxy
> > > > 
> > > > On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.ne
> > > > t>
> > 
> > wrote:
> > > > 
> > > > > Hi there,
> > > > > 
> > > > > I have a service running in a JBoss server, that I want to
> > > > > secure via
> > 
> > the
> > > > > keycloak adapter.
> > > > > The server is behind a proxy, that offloads SSL, so the
> > > > > server itself
> > 
> > gets
> > > > > traffic as http.
> > > > > When the server redirects to keycloak for authentication, the
> > > > > redirect
> > 
> > URL
> > > > > supplied to keycloak is http, not https. How can I ensure,
> > > > > that a
> > 
> > redirect
> > > > > URL is an https URL?
> > > > > 
> > > > > Greetings,
> > > > >     Malte
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list