[keycloak-user] problem with nginx reverse proxy and ip access control

Jernej Porenta jernej.porenta at 3fs.si
Fri Sep 21 08:37:15 EDT 2018


Hey,

> 
> Thanks for the reply. I've gone through pretty much the same iterations. I've also tried manipulating the X-Forwarded-For as you mentioned and it doesnt help either.
> 
> In our case we are using Amazon ECS to host Keycloak behind an external facing ALB. I want to be able to restrict the admin console to internal only addresses, so I have an nginx container to reverse-proxy admin requests to keycloak. No matter what configuration I try, I cannot get it to work.
> 
> Would be open to any other suggestions
> 

I’ve added some snippet into http part of nginx (if using nginx ingress: config.http-snippet)
geo $admin_access {
	default deny;
	192.168.0.1/24 allow;
}

and into server part of nginx host (of server-snippet of your ingress service configuration)
set $check “";
if ($uri ~ '^/auth/admin') { set $check "${admin_access}-admin"; };
if ($check = "deny-admin") { return 403; }


br, Jernej




More information about the keycloak-user mailing list