libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

fix: expanding more on proxy-headers and hostname concerns (#33211)

Browse source 
closes: #33209

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
This commit is contained in:
Steven Hawkins 2024-09-24 03:42:52 -04:00 committed by GitHub
parent 46b0b6195c
commit 3793d60104
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 19 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
docs/guides/server/hostname.adoc
View file

@ -46,9 +46,13 @@ As you can observe, the HTTPS protocol is the default choice, adhering to {proje
The result of this configuration is that you can continue to access {project_name} at `https://my.keycloak.org` via HTTPS, while the proxy interacts with the instance using HTTP and port `8080`. The result of this configuration is that you can continue to access {project_name} at `https://my.keycloak.org` via HTTPS, while the proxy interacts with the instance using HTTP and port `8080`.
== Relying on a trusted proxy for dynamic URL resolution == Using a reverse proxy
If you fully trust your proxy, the `proxy-headers` option is used to dynamically resolve the URL. When a proxy is in use, the `proxy-headers` should be set. Depending on the hostname settings, some or all of the URL, may be dynamically determined.
WARNING: If either `forwarded` or `xforwarded` is selected, make sure your reverse proxy properly sets and overwrites the `Forwarded` or `X-Forwarded-*` headers respectively. To set these headers, consult the documentation for your reverse proxy. Misconfiguration will leave {project_name} exposed to security vulnerabilities.
=== Fully dynamic URLs.
For example if your reverse proxy correctly sets the Forwarded header, and you don't want to hardcode the hostname, {project_name} can accommodate this. You simply need to initiate the server as follows: For example if your reverse proxy correctly sets the Forwarded header, and you don't want to hardcode the hostname, {project_name} can accommodate this. You simply need to initiate the server as follows:
@ -56,13 +60,21 @@ For example if your reverse proxy correctly sets the Forwarded header, and you d
With this configuration, the server respects the value set by the Forwarded header. This also implies that all endpoints are dynamically resolved. With this configuration, the server respects the value set by the Forwarded header. This also implies that all endpoints are dynamically resolved.
=== Partially dynamic URLs
The `proxy-headers` option can be also used to resolve the URL partially dynamically when the `hostname` option is not specified as a full URL. For example: The `proxy-headers` option can be also used to resolve the URL partially dynamically when the `hostname` option is not specified as a full URL. For example:
<@kc.start parameters="--hostname my.keycloak.org --proxy-headers xforwarded"/> <@kc.start parameters="--hostname my.keycloak.org --proxy-headers xforwarded"/>
In this case, scheme, port and context path are resolved dynamically from X-Forwarded-* headers, while hostname is statically defined as `my.keycloak.org`. In this case, scheme, port and context path are resolved dynamically from X-Forwarded-* headers, while hostname is statically defined as `my.keycloak.org`.
WARNING: If either `forwarded` or `xforwarded` is selected, make sure your reverse proxy properly sets and overwrites the `Forwarded` or `X-Forwarded-*` headers respectively. To set these headers, consult the documentation for your reverse proxy. Misconfiguration will leave {project_name} exposed to security vulnerabilities. === Fixed URLs
The `proxy-headers` is still relevant even when the `hostname` is set to a full URL as the headers are used to determine the origin of the request. For example:
<@kc.start parameters="--hostname https://my.keycloak.org --proxy-headers xforwarded"/>
In this case, while nothing is dynamically resolved from the X-Forwarded-* headers, the X-Forwarded-* headers are used to determine the correct origin of the request.
== Exposing the Administration Console on a separate hostname == Exposing the Administration Console on a separate hostname
@ -142,6 +154,8 @@ As indicated in the previous sections, URLs can be resolved in several ways: the
* If `hostname-admin` is configured, `hostname` must be set to a URL (not just hostname). Otherwise {project_name} would not know what is the correct frontend URL (incl. port etc.) when accessing the Admin Console. * If `hostname-admin` is configured, `hostname` must be set to a URL (not just hostname). Otherwise {project_name} would not know what is the correct frontend URL (incl. port etc.) when accessing the Admin Console.
* If `hostname-backchannel-dynamic` is set to true, `hostname` must be set to a URL (not just hostname). Otherwise {project_name} would not know what is the correct frontend URL (incl. port etc.) when being access via the dynamically resolved bachchannel. * If `hostname-backchannel-dynamic` is set to true, `hostname` must be set to a URL (not just hostname). Otherwise {project_name} would not know what is the correct frontend URL (incl. port etc.) when being access via the dynamically resolved bachchannel.
Additionally if hostname is configured, then hostname-strict is ignored.
== Troubleshooting == Troubleshooting
To troubleshoot the hostname configuration, you can use a dedicated debug tool which can be enabled as: To troubleshoot the hostname configuration, you can use a dedicated debug tool which can be enabled as:

2
docs/guides/server/reverseproxy.adoc
View file

@ -18,6 +18,8 @@ Distributed environments frequently require the use of a reverse proxy. {project
* `forwarded` enables parsing of the `Forwarded` header as per https://www.rfc-editor.org/rfc/rfc7239.html[RFC7239]. * `forwarded` enables parsing of the `Forwarded` header as per https://www.rfc-editor.org/rfc/rfc7239.html[RFC7239].
* `xforwarded` enables parsing of non-standard `X-Forwarded-*` headers, such as `X-Forwarded-For`, `X-Forwarded-Proto`, `X-Forwarded-Host`, and `X-Forwarded-Port`. * `xforwarded` enables parsing of non-standard `X-Forwarded-*` headers, such as `X-Forwarded-For`, `X-Forwarded-Proto`, `X-Forwarded-Host`, and `X-Forwarded-Port`.
NOTE: If you are using a reverse proxy and do not set the `proxy-headers` option, then by default you will see 403 Forbidden responses to requests via the proxy that perform origin checking.
For example: For example:
<@kc.start parameters="--proxy-headers forwarded"/> <@kc.start parameters="--proxy-headers forwarded"/>