Hi I am having a gloo deployment. The gloo recieves http requests from the client. It then forwards the requests to the upstream micro services.
I have a requirement so that when the gloo recieves an inbound request I have to generate the following headers to be available in the response.
X-forwarded-proto
X-forwarded-host
X-forwarded-port
X-forwarded-For
How can i achieve it ?
Related
I'm trying to use keycloak in my load balance service with Nginx.
But when I call service API, I received the error "Too Many Redirects" in browser.
I guess this process should be:
1. Request load-balanced to service A
2. Keycloak in service A redirect to login page
3. Login with password & username
----------------The above is correct----------------------------------
4. Keycloak redirect to the original page but **load-balance to service B**
5. Keycloak in service B redirect to login page
6. Auto login without password
7. Keycloak redirect to the original page but load-balance to service A
8. Keycloak in service A redirect to login page
9. Auto login without password
10. Then loop forever...
bug
How should I change my keycloak config and fix the bug?
nginx.conf:
http {
upstream backend{
server 127.0.0.1:8001 weight=1;
server 127.0.0.1:8002 weight=1;
}
...
...
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
...
...
}
}
And Springboot keycloak config in the application.properties:
server.port=8002 # modify by command line
keycloak.auth-server-url=http://172.20.51.25:8080/auth
keycloak.realm=autocv
keycloak.public-client=true
keycloak.resource=oauthtest
keycloak.securityConstraints[0].authRoles[0]=aps
keycloak.securityConstraints[0].securityCollections[0].name= common
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*
keycloak client config
You should follow the Official Keycloak Guide Setting Up a Load Balancer or Proxy. Also don't forget to add the following configuration as mentioned in the official docs.
proxy-address-forwarding
Also enable reverse proxy configurations for your configurations.
Configure your reverse proxy or loadbalancer to properly set X-Forwarded-For and X-Forwarded-Proto HTTP headers.
Configure your reverse proxy or loadbalancer to preserve the original Host HTTP header.
Configure the authentication server to read the client’s IP address from X-Forwarded-For header. - from Keycloak Documentation - Identifying Client IP Addresses
I am trying to set session cookie from a Lambda API Gateway integration to the client but it will never send the Set-Cookie header.
I don't see the Set-Cookie in the API Gateway logs neither.
Here is an example of the Set-Cookie header hard-coded in the Integration Response when HTTP Status is 200
The Set-Cookie is not sent but the Access-Control-Allow-Credentials header is sent to the client
UPDATE 23-06
It appears that using the Mapping template in the Integration Response is working but setting it in the Header Mapping doesn't.
What are the headers that will be forwarded and what will be modified and dropped
With some exceptions, by default, API Gateway forwards all headers on incoming requests to the downstream services.
The most notable exceptions, ignoring whitelisting and other specific features:
- Authorization header if the request is authenticated with Security Token Service - Accept header and Content-Type header may be manipulated based on the route configuration and version: https://confluence.inside-box.net/display/ETO/On-boarding+new+APIs#On-boardingnewAPIs-HeaderManipulation
I have nginx that will handle https, but the login and register forms of keycloak have http actions and I can't find a way to set them to https.
Making them to https in the browser works correctly.
There are two variables:
{url.registrationUrl}
{url.loginAction}
Where are these values coming from?
EDIT:
I made a workaround
{url.registrationUrl?replace('http', 'https')}
Use proxy-address-forwarding.
Forward the original schema in Nginx (server.conf)
proxy_set_header X-Forwarded-Proto $scheme;
Use this information in Keyclok (standalone/domain.xml)
proxy-address-forwarding=true in http-listener
https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses
We are using Keycloak 2.0.0.Final installed behind a nginx proxy on a RedHat environment.
We are currently facing a problem with the Reset Password functionality which send an email with the internal server host instead of the external one in the action URL as we are behind a proxy.
I receive this by email: https://internal/auth/realms/MYREALM/login-actions/reset-credentials?code=wYhHP(...) but the end user should see https://external/auth/realms/MYREALM/login-actions/reset-credentials?code=wYhHP(...). The whole proxy settings work perfectly otherwise, it's basically an URL rewriting function.
I found this ticket relating a similar case but the solution isn't ideal: http://lists.jboss.org/pipermail/keycloak-user/2015-October/003428.html
Any hidden properties, settings we could use or solution to fix this issue?
Thanks
Nginx sets the emailed URL prefix from the contents of the Host header, so your nginx proxy needs to be configured to pass the Host header intact.
Something like this:
proxy_pass <your internal keycloak URL or IP address>
...
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...
You may also need to set X-forwarded-proto if your internal URL is not https