使用Nginx移至密钥斗篷中的https [英] Moving to https in keycloak using nginx
问题描述
JSF项目 Wildfly + App(在8080上) 相同服务器密钥斗篷(在8180上)
JSF project Wildfly + App (on 8080) Same Server Keycloak (on 8180)
当我触发登录(通过进入需要登录的页面)时,我转到此链接:
When I trigger a login (by going to a page that needs login) I go to this link:
https://thexxxxxx.nz/auth/realms/TheXxxxxXxxxx/protocol/openid-connect/auth?response_type=code&client_id=thexxxxxxxxx&redirect_uri=https%3A%2F%2Fthexxxxxxx.nz%2Fthexxxxxxx%2Fpages%2Fmy%2Fdashboard.jsf&state=8a73b245-b8b2-41ff-8dd4-9c28d4066e17&login=true&scope=openid
这给出了: 无效的参数:redirect_uri
This gives: Invalid parameter: redirect_uri
如果我然后将重定向更改为https:
If I then change the redirect to https:
https->
redirect_uri = http s %3A%2F%2Fthexxxxxxx.nz%2Fthexxxxxxx%2Fpages%2Fmy%2Fdashboard.jsf& state = 8a73b245-b8b2-41ff-8dd4-9c28d4066e17& login = true&范围= openid
redirect_uri=https%3A%2F%2Fthexxxxxxx.nz%2Fthexxxxxxx%2Fpages%2Fmy%2Fdashboard.jsf&state=8a73b245-b8b2-41ff-8dd4-9c28d4066e17&login=true&scope=openid
然后我进入了keycloak(稍后会出现更多问题;但是我想先解决此问题)
then I get to keycloak (more problems later; but I would like to fix this first)
问题是我在哪里可以将重定向设置为https?
The question is where do I look to set the redirect to be https?
注意: 这些是我为应对https和nginx(基于doco)所做的更改:
Note: These are the changes I did to cope with https and nginx (based on the doco):
<subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="proxy-https" enable-http2="true" proxy-address-forwarding="true" />
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
和
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="proxy-https" port="443"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
在wildfly应用服务器上:
On wildfly app server:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="thexxxxx.war">
<realm>TheXxxxXxxxx</realm>
<resource>thexxxxxxx</resource>
<public-client>true</public-client>
<auth-server-url>https://thexxxxx.nz/auth/</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem> </subsystem>
这是nginx配置
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.thexxxxx.nz thexxxxxxx.nz; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /thexxxxxx/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080/thexxxxxx/;
client_max_body_size 10M;
}
location /auth/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8180/auth/;
client_max_body_size 10M;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.thexxxxxx.nz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.thexxxxx.nz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = thexxxxxx.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.thexxxxx.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.thexxxxxx.nz thexxxxxxx.nz;
return 404; # managed by Certbot
}
推荐答案
我找到了解决方案"
在领域的客户端中 有效的重定向URI添加带有*
In the client for the Realm Valid Redirect URIs add a line with *
imgae上传被阻止/失败...
The imgae upload is blocked/failed...
这篇关于使用Nginx移至密钥斗篷中的https的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!