keycloak 将 url 重定向到 http 而不是 https
keycloak redirects urls to http instead of https
我在 SSL 终止 nginx 代理后面设置了一个密钥斗篷。当我尝试访问使用 keycloak 保护的应用程序时,keycloak 生成 url 如下所示:
https://keycloak.mydomain.com/auth/realms/AdfsDemo/protocol/openid-connect/auth?client_id=adfs&redirect_uri=http%3A%2F%2Fmyapp.mydomain.com%2Fsignin-oidc&response_type=code&scope=openid%20profile&response_mode=form_post&nonce=636603226928179925.MmUzYWEzMGYtNTAxOS00MTBkLTk4MWItMDU3MGY1NjAxOGViNzlhYmZiMDQtNTQyOC00Y2YzLTk2MjMtZjNjMWFjNTI1YzM3&state=CfDJ8NQosUp9FsZBgifUu0XsVAEasSeKTitMPUM5yatTiQGf_Kz_X9CpQNPIHOkGr1hsgdErjhbw4ULINvCJgnFdWYctcIuhoyhOTt2Km3xy0qFh4o9gNFkPQlbEqc771MmVC2FUqUtvDqf8zChsyDDfGkxZ6Kc1y36I_3lFfzfubBAyXK0cEb_3AdZBMyDRp2WMykrarD8Z-0iGBk_q5Z8akYYHyCc7q-FSKxP1DW59nHpF8fM6P-S8SdVxvTW2dtEyV9UL6rlqD8dabNNJxhoaXEeBzwRh84it2vVlaaYpQ7d1ErZ51hpuzhG2gYSxnowMdQa8gfd8X1hs5HsgJXL-gCmBgTlxWNQfAy5DRpcX8Wi0&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
我可以在 https 上访问 keycloak 就好了。但是当我尝试访问使用 keycloak 保护的应用程序时,您会注意到 keycloak 生成的 redirect_uri 是 http 而不是 https。
这是我的 nginx 配置
server {
listen 443 ssl;
server_name myapp.mydomain.com;
ssl_certificate /etc/nginx/external/wildcard_mydomain_com.pem;
ssl_certificate_key /etc/nginx/external/private.rsa;
location / {
proxy_set_header Host myapp.mydomain.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.30.5.28:8001;
}
}
#Keycloak Service
server {
listen 443 ssl;
server_name keycloak.mydomain.com;
ssl_certificate /etc/nginx/external/wildcard_mydomain_com.pem;
ssl_certificate_key /etc/nginx/external/private.rsa;
location = / {
return 301 https://keycloak.mydomain.com/auth;
}
location /auth {
proxy_pass http://172.30.5.28:8080;
proxy_set_header Host keycloak.mydomain.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
非常感谢任何帮助。
谢谢,
拉胡尔
我能够解决这个问题。
我们有 dotnet 核心应用程序和 keycloak behing ssl 终止 SSL 代理。上面提到的 Nginx 设置是正确的,问题是应用程序没有正确转发 headers 到 keyclaok。以下 link 帮助:
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-2.1
var forwardingOptions = new ForwardedHeadersOptions()
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
forwardingOptions.KnownNetworks.Clear(); //its loopback by default
forwardingOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardingOptions);
这个来自另一个答案的代码块为我解决了这个问题。
对于 nodejs/express 应用程序,我必须添加信任代理设置。
app.set('trust proxy', function (ip) {
return true;
// if (ip === '127.0.0.1' || ip === '123.123.123.123') return true // trusted IPs
// else return false
});
遇到KeyCloak同样的问题docker,我是这样解决的,
nginx 配置,
location /auth {
resolver 127.0.0.11 ipv6=off valid=5s;
set $upstream "http://identity-service:8080";
proxy_pass $upstream;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_connect_timeout 3000;
proxy_send_timeout 3000;
proxy_read_timeout 3000;
send_timeout 3000;
client_max_body_size 5120m;
}
docker-编写文件,设置PROXY_ADDRESS_FORWARDING为true
environment:
KEYCLOAK_USER:
KEYCLOAK_PASSWORD:
KEYCLOAK_FRONTEND_URL:
PROXY_ADDRESS_FORWARDING: "true"
DB_VENDOR:
DB_ADDR:
DB_PORT:
DB_DATABASE:
DB_USER:
DB_PASSWORD:
- 通过删除 KEYCLOAK_FRONTEND_URL,您也可以禁用 KeyCloak 前端。
我在 SSL 终止 nginx 代理后面设置了一个密钥斗篷。当我尝试访问使用 keycloak 保护的应用程序时,keycloak 生成 url 如下所示:
https://keycloak.mydomain.com/auth/realms/AdfsDemo/protocol/openid-connect/auth?client_id=adfs&redirect_uri=http%3A%2F%2Fmyapp.mydomain.com%2Fsignin-oidc&response_type=code&scope=openid%20profile&response_mode=form_post&nonce=636603226928179925.MmUzYWEzMGYtNTAxOS00MTBkLTk4MWItMDU3MGY1NjAxOGViNzlhYmZiMDQtNTQyOC00Y2YzLTk2MjMtZjNjMWFjNTI1YzM3&state=CfDJ8NQosUp9FsZBgifUu0XsVAEasSeKTitMPUM5yatTiQGf_Kz_X9CpQNPIHOkGr1hsgdErjhbw4ULINvCJgnFdWYctcIuhoyhOTt2Km3xy0qFh4o9gNFkPQlbEqc771MmVC2FUqUtvDqf8zChsyDDfGkxZ6Kc1y36I_3lFfzfubBAyXK0cEb_3AdZBMyDRp2WMykrarD8Z-0iGBk_q5Z8akYYHyCc7q-FSKxP1DW59nHpF8fM6P-S8SdVxvTW2dtEyV9UL6rlqD8dabNNJxhoaXEeBzwRh84it2vVlaaYpQ7d1ErZ51hpuzhG2gYSxnowMdQa8gfd8X1hs5HsgJXL-gCmBgTlxWNQfAy5DRpcX8Wi0&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
我可以在 https 上访问 keycloak 就好了。但是当我尝试访问使用 keycloak 保护的应用程序时,您会注意到 keycloak 生成的 redirect_uri 是 http 而不是 https。
这是我的 nginx 配置
server {
listen 443 ssl;
server_name myapp.mydomain.com;
ssl_certificate /etc/nginx/external/wildcard_mydomain_com.pem;
ssl_certificate_key /etc/nginx/external/private.rsa;
location / {
proxy_set_header Host myapp.mydomain.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.30.5.28:8001;
}
}
#Keycloak Service
server {
listen 443 ssl;
server_name keycloak.mydomain.com;
ssl_certificate /etc/nginx/external/wildcard_mydomain_com.pem;
ssl_certificate_key /etc/nginx/external/private.rsa;
location = / {
return 301 https://keycloak.mydomain.com/auth;
}
location /auth {
proxy_pass http://172.30.5.28:8080;
proxy_set_header Host keycloak.mydomain.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
非常感谢任何帮助。
谢谢, 拉胡尔
我能够解决这个问题。 我们有 dotnet 核心应用程序和 keycloak behing ssl 终止 SSL 代理。上面提到的 Nginx 设置是正确的,问题是应用程序没有正确转发 headers 到 keyclaok。以下 link 帮助: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-2.1
var forwardingOptions = new ForwardedHeadersOptions()
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
forwardingOptions.KnownNetworks.Clear(); //its loopback by default
forwardingOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardingOptions);
这个来自另一个答案的代码块为我解决了这个问题。
对于 nodejs/express 应用程序,我必须添加信任代理设置。
app.set('trust proxy', function (ip) {
return true;
// if (ip === '127.0.0.1' || ip === '123.123.123.123') return true // trusted IPs
// else return false
});
遇到KeyCloak同样的问题docker,我是这样解决的,
nginx 配置,
location /auth {
resolver 127.0.0.11 ipv6=off valid=5s;
set $upstream "http://identity-service:8080";
proxy_pass $upstream;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_connect_timeout 3000;
proxy_send_timeout 3000;
proxy_read_timeout 3000;
send_timeout 3000;
client_max_body_size 5120m;
}
docker-编写文件,设置PROXY_ADDRESS_FORWARDING为true
environment:
KEYCLOAK_USER:
KEYCLOAK_PASSWORD:
KEYCLOAK_FRONTEND_URL:
PROXY_ADDRESS_FORWARDING: "true"
DB_VENDOR:
DB_ADDR:
DB_PORT:
DB_DATABASE:
DB_USER:
DB_PASSWORD:
- 通过删除 KEYCLOAK_FRONTEND_URL,您也可以禁用 KeyCloak 前端。