如何在 HTTPS 服务器后面设置 Keycloak

tag-icon tag-icon https reverse-proxy jboss
如何在 HTTPS 服务器后面设置 Keycloak

我已按照此处的步骤操作 https://www.keycloak.org/docs/3.4/server_installation/index.html#enable-https-ssl-with-a-reverse-proxy 但当我尝试打开时,却发现缺少了一些东西https://auth.solidsense.tk/auth/realms/master/.well-known/openid-configuration 端点没有正确的方案(http 而不是 https),我无法进入管理控制台

        listen 80;
        listen [::]:80;


        server_name auth.solidsense.tk;
        root /var/www/auth.solidsense.tk/html;
        index index.html index.htm index.nginx-debian.html;


        location /{ 
              proxy_set_header Host $host; 
              proxy_set_header X-Real-IP  $remote_addr; 
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header   Cookie $http_cookie;                 
              proxy_pass http://localhost:9080;

    }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/auth.solidsense.tk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/auth.solidsense.tk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

root@scw-mainflux:~/keycloak-3.4.3.Final# git diff standalone/configuration/standalone.xml
diff --git a/standalone/configuration/standalone.xml b/standalone/configuration/standalone.xml
index 2cb189a..73db59c 100644
--- a/standalone/configuration/standalone.xml
+++ b/standalone/configuration/standalone.xml
@@ -465,7 +465,7 @@
         <subsystem xmlns="urn:jboss:domain:undertow:4.0">
             <buffer-cache name="default"/>
             <server name="default-server">
-                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+               <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"  enable-http2="true"/>
                 <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                 <host name="default-host" alias="localhost">
                     <location name="/" handler="welcome-content"/>
@@ -564,6 +564,7 @@
         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
         <socket-binding name="http" port="${jboss.http.port:8080}"/>
         <socket-binding name="https" port="${jboss.https.port:8443}"/>
+        <socket-binding name="proxy-https" port="443"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

答案1

我知道这个问题已经很久了,但仍然没有答案,而且从浏览量来看,这个问题一次又一次地出现。我猜很多人最终都会自己找到答案,但没有发帖,所以我会发帖对我有用的。

典型场景 Internet -> HTTPS -> ModSecNginx -> HTTP -> Keycloak

Keycloak 4.4.0 ModSecurity-nginx v1.0.0(内联/本地/远程加载规则:0/903/0)

在完成“所有操作”之后,我遇到了同样的问题,keycloak 代理转发为真,nginx 建议......等等。

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"http://modsec.redacted.com/auth/realms/master","authorization_endpoint":"http://modsec.redacted.com/auth/realms/master/protocol/openid-connect/auth"....

配置

    server
    {
      listen 80;
      listen [::]:80;
      location /
        {

          modsecurity on;
          modsecurity_rules '
            SecRuleEngine On
            SecDebugLog /tmp/modsec_debug.log
            # Debug Levels are 3,4,5,9
            SecDebugLogLevel 3
            # The below rules are disabled, else keycloak does not work at paranoia level 5
            SecRuleRemoveById 942432 920273 942421 942420
          ';
          proxy_set_header    Host               $http_host;
          proxy_set_header    X-Real-IP          $remote_addr;
          proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
          proxy_set_header    Cookie              $http_cookie;
          proxy_set_header    X-Forwarded-Host   $host;
          proxy_set_header    X-Forwarded-Server $host;
          proxy_set_header    X-Forwarded-Port   $server_port;
          proxy_set_header    X-Forwarded-Proto  $scheme;
          proxy_pass http://keycloak:8080;
        }
    }

这就是我必须做的

改变:

          proxy_set_header    X-Forwarded-Proto  $scheme;

到:

          proxy_set_header    X-Forwarded-Proto  https;

结果

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"https://modsec.redacted.com:80/auth/realms/master","authorization_endpoint":"https://modsec.redacted.com:80/auth/realms/master/protocol/openid-connect/auth"

你知道发生什么事了吗?

然后改变:

          proxy_set_header    X-Forwarded-Port   $server_port;

到:

          proxy_set_header    X-Forwarded-Proto  443;

或者,将其完全取出。

结果

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"https://modsec.redacted.com/auth/realms/master","authorization_endpoint":"https://modsec.redacted.com/auth/realms/master/protocol/openid-connect/auth",

您的管理控制台也将开始工作。我确信 Nginx 有适合此的变量($request_scheme,或者 $client_scheme 可能?)。

这就对了!

相关内容