反向访问背后的keycloak重定向 [英] keycloak redirect behind reverse proxy
问题描述
我正在尝试让密钥斗篷在kubernetes的kong入口后面运行.我遇到的问题是keycloak在它认为正在返回的URL上添加了一个端口.
要求:auth.mydomain.com/auth
响应:auth.mydomain.com:8443/auth/admin/master/console/
I am trying to get keycloak to run behind a kong ingress in kubernetes. The issue I am having is keycloak is adding a port it thinks it is on to the urls it is returning.
request: auth.mydomain.com/auth
response: auth.mydomain.com:8443/auth/admin/master/console/
client-> NLB:443-> kong:8443-> keycloak:8080
client -> NLB:443 -> kong:8443 -> keycloak:8080
keycloak看到kong设置的请求x-forwarded-port: 8443,并在端口8443上用路径回复
keycloak sees the requests x-forwarded-port: 8443 that kong sets and replies with a path on port 8443
Kong现在必须处于8443,因为它是如何在kong用户下在容器中启动的,并且无法访问特权端口.
Kong must be on 8443 now because of how it is launched in the container under the user kong and doesn't have access to the privileged ports.
我已经设置了建议的配置密钥库
I have set the configs keycloak suggests,
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)
但是这些看起来像他们告诉Undertow如果请求以纯文本格式答复时,我的x-forwarded-proto: https设置正确.
But these look like they tell undertow to reply with 443 if the request comes in in plain text, my x-forwarded-proto: https is set correctly.
问题还可能是host标头.
----------------------------REQUEST---------------------------
URI=/auth/admin/
characterEncoding=null
contentLength=-1
contentType=null
header=X-Real-IP=<REDACTED>
header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
header=Accept-Language=en-us
header=Accept-Encoding=br, gzip, deflate
header=User-Agent=<REDACTED>
header=Connection=keep-alive
header=X-Forwarded-Proto=https
header=X-Forwarded-Port=8443
header=X-Forwarded-For=<REDACTED>
header=Referer=https://auth.my-domain.com/auth/
header=Host=auth.my-domain.com:8443
header=X-Forwarded-Host=auth.my-domain.com
locale=[en_US]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=/<REDACTED>
remoteHost=<REDACTED>
scheme=https
host=auth.my-domain.com:8443
serverPort=8443
isSecure=true
--------------------------RESPONSE--------------------------
contentLength=0
contentType=null
header=Connection=keep-alive
header=Location=https://auth.my-domain.com:8443/auth/admin/master/console/
header=Content-Length=0
header=Date=Fri, 21 Jun 2019 07:05:28 GMT
status=302
如果我可以让密钥斗篷仅使用路径而不是端口进行响应,或者如果它必须通过端口进行响应,则只需告诉它我要与之通信的端口,就可以了.
It would be great if I could get keycloak to respond with just a path and not a port, or if it has to respond with a port, just tell it what port I want it to talk on.
推荐答案
有hostname SPI,它使您可以为Keycloak设置主机名和端口,而不是从HTTP请求中检索它们.您可以将端口设置为默认端口(80/443),结果URL将不会显示端口.
There is hostname SPI which allows you to set hostname and port for Keycloak instead of retrieving them from HTTP request. You can set ports to default ones (80/443) and resulting URLs will not have a port displayed.
# Replace `request` provider with `fixed`
/subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider,value=fixed)
# Set hostname and ports for http and https
/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.hostname,value=example.org)
/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.httpsPort,value=443)
/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.httpPort,value=80)
这些值在运行时不可配置,因此您必须在更改后重新启动Keycloak.
These values are not runtime configurable thus you have to restart Keycloak after the changes.
这篇关于反向访问背后的keycloak重定向的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
