反向代理背后的keycloak重定向 [英] keycloak redirect behind reverse proxy
问题描述
我正在尝试让 keycloak 在 kubernetes 中的 kong 入口后面运行.我遇到的问题是 keycloak 正在添加一个它认为它在它返回的 url 上的端口.请求:auth.mydomain.com/auth响应:auth.mydomain.com:8443/auth/admin/master/console/
I am trying to get keycloak to run behind a kong ingress in kubernetes. The issue I am having is keycloak is adding a port it thinks it is on to the urls it is returning.
request: auth.mydomain.com/auth
response: auth.mydomain.com:8443/auth/admin/master/console/
客户端 -> NLB:443 -> kong:8443 -> keycloak:8080
client -> NLB:443 -> kong:8443 -> keycloak:8080
keycloak 看到 kong 设置的请求 x-forwarded-port: 8443 并用端口 8443 上的路径回复
keycloak sees the requests x-forwarded-port: 8443 that kong sets and replies with a path on port 8443
Kong 现在必须在 8443 上,因为它是如何在用户 kong 下的容器中启动的,并且无法访问特权端口.
Kong must be on 8443 now because of how it is launched in the container under the user kong and doesn't have access to the privileged ports.
我已经设置了keycloak建议的配置,
I have set the configs keycloak suggests,
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)
但是这些看起来像是告诉 undertow 如果请求以纯文本形式返回 443,我的 x-forwarded-proto: https 设置正确.
But these look like they tell undertow to reply with 443 if the request comes in in plain text, my x-forwarded-proto: https is set correctly.
问题也可能是 host 标头.
It is also possible that the issue is the host header instead.
----------------------------REQUEST---------------------------
URI=/auth/admin/
characterEncoding=null
contentLength=-1
contentType=null
header=X-Real-IP=<REDACTED>
header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
header=Accept-Language=en-us
header=Accept-Encoding=br, gzip, deflate
header=User-Agent=<REDACTED>
header=Connection=keep-alive
header=X-Forwarded-Proto=https
header=X-Forwarded-Port=8443
header=X-Forwarded-For=<REDACTED>
header=Referer=https://auth.my-domain.com/auth/
header=Host=auth.my-domain.com:8443
header=X-Forwarded-Host=auth.my-domain.com
locale=[en_US]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=/<REDACTED>
remoteHost=<REDACTED>
scheme=https
host=auth.my-domain.com:8443
serverPort=8443
isSecure=true
--------------------------RESPONSE--------------------------
contentLength=0
contentType=null
header=Connection=keep-alive
header=Location=https://auth.my-domain.com:8443/auth/admin/master/console/
header=Content-Length=0
header=Date=Fri, 21 Jun 2019 07:05:28 GMT
status=302
如果我能让 keycloak 只用一个路径而不是一个端口来响应,或者如果它必须用一个端口来响应,那就告诉它我希望它在哪个端口上通信就好了.
It would be great if I could get keycloak to respond with just a path and not a port, or if it has to respond with a port, just tell it what port I want it to talk on.
推荐答案
hostname SPI 允许您为 Keycloak 设置主机名和端口,而不是从HTTP 请求.您可以将端口设置为默认端口 (80/443),这样生成的 URL 将不会显示端口.
There is hostname SPI which allows you to set hostname and port for Keycloak instead of retrieving them from HTTP request. You can set ports to default ones (80/443) and resulting URLs will not have a port displayed.
# Replace `request` provider with `fixed`
/subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider,value=fixed)
# Set hostname and ports for http and https
/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.hostname,value=example.org)
/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.httpsPort,value=443)
/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.httpPort,value=80)
这些值不是运行时可配置的,因此您必须在更改后重新启动 Keycloak.
These values are not runtime configurable thus you have to restart Keycloak after the changes.
这篇关于反向代理背后的keycloak重定向的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
