Stian Thorgersen
commit
03b8aa1fc2
3 changed files with 59 additions and 12 deletions
|
|
@ -8,7 +8,7 @@ import java.util.regex.Pattern;
|
||||||
*/
|
*/
|
||||||
public class UriUtils {
|
public class UriUtils {
|
||||||
|
|
||||||
private static final Pattern originPattern = Pattern.compile("(http://|https://)[\\w]+(\\.[\\w]+)*(:[\\d]{2,5})?");
|
private static final Pattern originPattern = Pattern.compile("(http://|https://)[\\w-]+(\\.[\\w-]+)*(:[\\d]{2,5})?");
|
||||||
|
|
||||||
public static String getOrigin(URI uri) {
|
public static String getOrigin(URI uri) {
|
||||||
return getOrigin(uri.toString());
|
return getOrigin(uri.toString());
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,8 @@ public class UriUtilsTest {
|
||||||
assertValid("http://192.168.123.123");
|
assertValid("http://192.168.123.123");
|
||||||
assertValid("https://192.168.123.123");
|
assertValid("https://192.168.123.123");
|
||||||
assertValid("https://192.168.123.123:8080");
|
assertValid("https://192.168.123.123:8080");
|
||||||
|
assertValid("https://sub-sub.test.com");
|
||||||
|
assertValid("https://sub.test-test.com");
|
||||||
|
|
||||||
assertInvalid("https://test/");
|
assertInvalid("https://test/");
|
||||||
assertInvalid("{");
|
assertInvalid("{");
|
||||||
|
|
|
||||||
|
|
@ -625,20 +625,31 @@ keycloak-war-dist-all-&project.version;/
|
||||||
<literal>X-Forwarded-Proto</literal> headers on the requests made to Keycloak. Next you need to enable
|
<literal>X-Forwarded-Proto</literal> headers on the requests made to Keycloak. Next you need to enable
|
||||||
<literal>proxy-address-forwarding</literal> on the Keycloak http connector. Assuming that your reverse
|
<literal>proxy-address-forwarding</literal> on the Keycloak http connector. Assuming that your reverse
|
||||||
proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to.
|
proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to.
|
||||||
This is done by editing <literal>standalone/configuration/standalone.xml</literal>.
|
|
||||||
</para>
|
</para>
|
||||||
First add <literal>proxy-address-forwarding</literal> and <literal>redirect-socket</literal> to the <literal>http-listener</literal>
|
|
||||||
element:
|
<section>
|
||||||
|
<title>WildFly</title>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
|
Open <literal>standalone/configuration/standalone.xml</literal> in your favorite editor.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
First add <literal>proxy-address-forwarding</literal> and <literal>redirect-socket</literal> to
|
||||||
|
the <literal>http-listener</literal> element:
|
||||||
<programlisting><![CDATA[<subsystem xmlns="urn:jboss:domain:undertow:1.1">
|
<programlisting><![CDATA[<subsystem xmlns="urn:jboss:domain:undertow:1.1">
|
||||||
...
|
...
|
||||||
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
|
<http-listener name="default" socket-binding="http"
|
||||||
|
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
|
||||||
...
|
...
|
||||||
</subsystem>
|
</subsystem>
|
||||||
]]></programlisting>
|
]]></programlisting>
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
Then add a new <literal>socket-binding</literal> element to the <literal>socket-binding-group</literal> element:
|
Then add a new <literal>socket-binding</literal> element to the <literal>socket-binding-group</literal> element:
|
||||||
<programlisting><![CDATA[
|
<programlisting><![CDATA[
|
||||||
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
|
<socket-binding-group name="standard-sockets" default-interface="public"
|
||||||
|
port-offset="${jboss.socket.binding.port-offset:0}">
|
||||||
...
|
...
|
||||||
<socket-binding name="proxy-https" port="443"/>
|
<socket-binding name="proxy-https" port="443"/>
|
||||||
...
|
...
|
||||||
|
|
@ -650,6 +661,40 @@ keycloak-war-dist-all-&project.version;/
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>AS7/EAP</title>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
Open <literal>standalone/configuration/standalone.xml</literal> in your favorite editor.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
You need to add <literal>redirect-port</literal> to http <literal>connector</literal> element and
|
||||||
|
add the <literal>RemoteIpValve</literal> valve:
|
||||||
|
<programlisting><![CDATA[
|
||||||
|
<subsystem xmlns="urn:jboss:domain:web:1.5"
|
||||||
|
default-virtual-server="default-host" native="false">
|
||||||
|
<connector name="http" protocol="HTTP/1.1" scheme="http"
|
||||||
|
socket-binding="http"
|
||||||
|
redirect-port="443"/>
|
||||||
|
<virtual-server name="default-host" enable-welcome-root="true">
|
||||||
|
<alias name="localhost"/>
|
||||||
|
<alias name="example.com"/>
|
||||||
|
</virtual-server>
|
||||||
|
<valve name="remoteipvalve" module="org.jboss.as.web"
|
||||||
|
class-name="org.apache.catalina.valves.RemoteIpValve">
|
||||||
|
<param param-name="protocolHeader" param-value="x-forwarded-proto"/>
|
||||||
|
</valve>
|
||||||
|
</subsystem>
|
||||||
|
]]></programlisting>
|
||||||
|
</para>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</section>
|
||||||
|
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Enforce HTTPS For Server Connections</title>
|
<title>Enforce HTTPS For Server Connections</title>
|
||||||
<para>
|
<para>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue