HTTPS 서버 뒤에 Keycloak을 설정하는 방법

tag-icon tag-icon https reverse-proxy jboss
HTTPS 서버 뒤에 Keycloak을 설정하는 방법

나는 여기의 절차를 따랐다. https://www.keycloak.org/docs/3.4/server_installation/index.html#enable-https-ssl-with-a-reverse-proxy 그런데 열려고 하면 뭔가 빠졌어요https://auth.solidsense.tk/auth/realms/master/.well-known/openid-configuration 엔드포인트에 적절한 체계(https 대신 http)가 없고 관리 콘솔에 들어갈 수 없습니다.

        listen 80;
        listen [::]:80;


        server_name auth.solidsense.tk;
        root /var/www/auth.solidsense.tk/html;
        index index.html index.htm index.nginx-debian.html;


        location /{ 
              proxy_set_header Host $host; 
              proxy_set_header X-Real-IP  $remote_addr; 
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header   Cookie $http_cookie;                 
              proxy_pass http://localhost:9080;

    }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/auth.solidsense.tk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/auth.solidsense.tk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

root@scw-mainflux:~/keycloak-3.4.3.Final# git diff standalone/configuration/standalone.xml
diff --git a/standalone/configuration/standalone.xml b/standalone/configuration/standalone.xml
index 2cb189a..73db59c 100644
--- a/standalone/configuration/standalone.xml
+++ b/standalone/configuration/standalone.xml
@@ -465,7 +465,7 @@
         <subsystem xmlns="urn:jboss:domain:undertow:4.0">
             <buffer-cache name="default"/>
             <server name="default-server">
-                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+               <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"  enable-http2="true"/>
                 <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                 <host name="default-host" alias="localhost">
                     <location name="/" handler="welcome-content"/>
@@ -564,6 +564,7 @@
         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
         <socket-binding name="http" port="${jboss.http.port:8080}"/>
         <socket-binding name="https" port="${jboss.https.port:8443}"/>
+        <socket-binding name="proxy-https" port="443"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

답변1

나는 이것이 오래된 것이라는 것을 알고 있지만 여전히 답변이 없으며 조회수를 보면 이것이 계속해서 나타납니다. 나는 많은 사람들이 결국 스스로 답을 찾았지만 게시하지 않을 것이라고 가정하므로 나에게 도움이 된 것을 게시하겠습니다.

일반적인 시나리오 인터넷 -> HTTPS -> ModSecNginx -> HTTP -> Keycloak

Keycloak 4.4.0 ModSecurity-nginx v1.0.0(인라인/로컬/원격으로 로드된 규칙: 0/903/0)

"모든 것", keycloak 프록시 전달 true, nginx 권장 사항 등을 수행한 후에 이와 동일한 문제가 발생했습니다.

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"http://modsec.redacted.com/auth/realms/master","authorization_endpoint":"http://modsec.redacted.com/auth/realms/master/protocol/openid-connect/auth"....

구성

    server
    {
      listen 80;
      listen [::]:80;
      location /
        {

          modsecurity on;
          modsecurity_rules '
            SecRuleEngine On
            SecDebugLog /tmp/modsec_debug.log
            # Debug Levels are 3,4,5,9
            SecDebugLogLevel 3
            # The below rules are disabled, else keycloak does not work at paranoia level 5
            SecRuleRemoveById 942432 920273 942421 942420
          ';
          proxy_set_header    Host               $http_host;
          proxy_set_header    X-Real-IP          $remote_addr;
          proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
          proxy_set_header    Cookie              $http_cookie;
          proxy_set_header    X-Forwarded-Host   $host;
          proxy_set_header    X-Forwarded-Server $host;
          proxy_set_header    X-Forwarded-Port   $server_port;
          proxy_set_header    X-Forwarded-Proto  $scheme;
          proxy_pass http://keycloak:8080;
        }
    }

이게 내가 해야 했던 일이야

변화:

          proxy_set_header    X-Forwarded-Proto  $scheme;

에게:

          proxy_set_header    X-Forwarded-Proto  https;

결과

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"https://modsec.redacted.com:80/auth/realms/master","authorization_endpoint":"https://modsec.redacted.com:80/auth/realms/master/protocol/openid-connect/auth"

무슨 일이 일어났는지 보셨나요?

그런 다음 다음을 변경하십시오.

          proxy_set_header    X-Forwarded-Port   $server_port;

에게:

          proxy_set_header    X-Forwarded-Proto  443;

아니면 완전히 꺼내세요.

결과

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"https://modsec.redacted.com/auth/realms/master","authorization_endpoint":"https://modsec.redacted.com/auth/realms/master/protocol/openid-connect/auth",

관리 콘솔도 작동하기 시작합니다. 나는 Nginx가 이에 대한 적절한 변수($request_scheme 또는 $client_scheme?)를 갖고 있다고 확신합니다.

그게 다야!

관련 정보