From 3793d601043f01466242eed7d8ea1c746c20b91e Mon Sep 17 00:00:00 2001 From: Steven Hawkins Date: Tue, 24 Sep 2024 03:42:52 -0400 Subject: [PATCH] fix: expanding more on proxy-headers and hostname concerns (#33211) closes: #33209 Signed-off-by: Steve Hawkins --- docs/guides/server/hostname.adoc | 20 +++++++++++++++++--- docs/guides/server/reverseproxy.adoc | 2 ++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/docs/guides/server/hostname.adoc b/docs/guides/server/hostname.adoc index 2daeb3b40d..807f59d12e 100644 --- a/docs/guides/server/hostname.adoc +++ b/docs/guides/server/hostname.adoc @@ -46,9 +46,13 @@ As you can observe, the HTTPS protocol is the default choice, adhering to {proje The result of this configuration is that you can continue to access {project_name} at `https://my.keycloak.org` via HTTPS, while the proxy interacts with the instance using HTTP and port `8080`. -== Relying on a trusted proxy for dynamic URL resolution +== Using a reverse proxy -If you fully trust your proxy, the `proxy-headers` option is used to dynamically resolve the URL. +When a proxy is in use, the `proxy-headers` should be set. Depending on the hostname settings, some or all of the URL, may be dynamically determined. + +WARNING: If either `forwarded` or `xforwarded` is selected, make sure your reverse proxy properly sets and overwrites the `Forwarded` or `X-Forwarded-*` headers respectively. To set these headers, consult the documentation for your reverse proxy. Misconfiguration will leave {project_name} exposed to security vulnerabilities. + +=== Fully dynamic URLs. For example if your reverse proxy correctly sets the Forwarded header, and you don't want to hardcode the hostname, {project_name} can accommodate this. You simply need to initiate the server as follows: @@ -56,13 +60,21 @@ For example if your reverse proxy correctly sets the Forwarded header, and you d With this configuration, the server respects the value set by the Forwarded header. This also implies that all endpoints are dynamically resolved. +=== Partially dynamic URLs + The `proxy-headers` option can be also used to resolve the URL partially dynamically when the `hostname` option is not specified as a full URL. For example: <@kc.start parameters="--hostname my.keycloak.org --proxy-headers xforwarded"/> In this case, scheme, port and context path are resolved dynamically from X-Forwarded-* headers, while hostname is statically defined as `my.keycloak.org`. -WARNING: If either `forwarded` or `xforwarded` is selected, make sure your reverse proxy properly sets and overwrites the `Forwarded` or `X-Forwarded-*` headers respectively. To set these headers, consult the documentation for your reverse proxy. Misconfiguration will leave {project_name} exposed to security vulnerabilities. +=== Fixed URLs + +The `proxy-headers` is still relevant even when the `hostname` is set to a full URL as the headers are used to determine the origin of the request. For example: + +<@kc.start parameters="--hostname https://my.keycloak.org --proxy-headers xforwarded"/> + +In this case, while nothing is dynamically resolved from the X-Forwarded-* headers, the X-Forwarded-* headers are used to determine the correct origin of the request. == Exposing the Administration Console on a separate hostname @@ -142,6 +154,8 @@ As indicated in the previous sections, URLs can be resolved in several ways: the * If `hostname-admin` is configured, `hostname` must be set to a URL (not just hostname). Otherwise {project_name} would not know what is the correct frontend URL (incl. port etc.) when accessing the Admin Console. * If `hostname-backchannel-dynamic` is set to true, `hostname` must be set to a URL (not just hostname). Otherwise {project_name} would not know what is the correct frontend URL (incl. port etc.) when being access via the dynamically resolved bachchannel. +Additionally if hostname is configured, then hostname-strict is ignored. + == Troubleshooting To troubleshoot the hostname configuration, you can use a dedicated debug tool which can be enabled as: diff --git a/docs/guides/server/reverseproxy.adoc b/docs/guides/server/reverseproxy.adoc index 3fc23ed288..c51713905f 100644 --- a/docs/guides/server/reverseproxy.adoc +++ b/docs/guides/server/reverseproxy.adoc @@ -18,6 +18,8 @@ Distributed environments frequently require the use of a reverse proxy. {project * `forwarded` enables parsing of the `Forwarded` header as per https://www.rfc-editor.org/rfc/rfc7239.html[RFC7239]. * `xforwarded` enables parsing of non-standard `X-Forwarded-*` headers, such as `X-Forwarded-For`, `X-Forwarded-Proto`, `X-Forwarded-Host`, and `X-Forwarded-Port`. +NOTE: If you are using a reverse proxy and do not set the `proxy-headers` option, then by default you will see 403 Forbidden responses to requests via the proxy that perform origin checking. + For example: <@kc.start parameters="--proxy-headers forwarded"/>