Hello every one I am trying to configure keycloak and while skimming around the docs I have come across this config for undertow subsystem in wildfly (upon which keycloak runs) and verified it in my standalone.xml file
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
.....
.....
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Now what I want to know is why the http-listener has a redirect-socket set to "https" as this listener is supposed to be listening for http requests made to the keycloak server? right? and we do have a separate https-listener. Also in a case of reverse proxy sitting in front of keycloak all requests made to keycloak via the proxy using http shall also end up on the http listener right? so why is http-listener redirecting request to a https socket binding?
What at first seems unreasonable has a very simple explanation: Keycloak should communicate with Users and Client over https. So, if a users attempts to start a session over http, he immediately redirected to https.
On the other hand, if a user already started a session over https, there is no need to redirect him further.
Related
I am certifying my application on JBoss EAP 7. My application works on standalone mode but in cluster mode, my application gets deployed but I am unable to login. I am again re-routed to login url.
I have setup cluster using mod_cluster.
There is no error log in Load Balancer Server logs neither on individual nodes of the cluster.
In my test environment, my load balancer and 2 server nodes are on same machine. I have given JBoss nodes different ports and instance-ids to differentiate the nodes.
I am sharing my mod_cluster.conf and JBoss standalone-ha.xml extracts from one of the nodes in cluster.
Following are the snippets in standalone-ha.xml file:
Modcluster settings are:
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster" proxies="proxy1" balancer="testcluster" advertise="true" connector="ajp">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
Undertow settings are:
<subsystem xmlns="urn:jboss:domain:undertow:3.1" instance-id="node1">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
Contents of Socket Binding Group are:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="jgroups-mping" interface="private" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" interface="private" port="7600"/>
<socket-binding name="jgroups-tcp-fd" interface="private" port="57600"/>
<socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" interface="private" port="54200"/>
<socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
<outbound-socket-binding name="proxy1">
<!-- host and port number of the load-balancer. -->
<remote-destination host="x.x.x.x" port="81"/>
</outbound-socket-binding>
</socket-binding-group>
Contents of mod_cluster.conf are as follows:
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so
MemManagerFile "//httpd2.4.6Home/var/cache/mod_cluster"
<IfModule manager_module>
Listen 81
<VirtualHost *:81>
<Directory />
Require all granted
</Directory>
<Location />
Require all granted
</Location>
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Require all granted
</Location>
KeepAliveTimeout 60
MaxKeepAliveRequests 0
ManagerBalancerName testcluster
AdvertiseFrequency 5
ServerAdvertise on
EnableMCPMReceive
</VirtualHost>
</IfModule>
Basically you have two options - either create a cluster using JBoss own domain mode or extend you standalone configuration to contain required elements for session replication and sso.
In domain mode, most of the configurations are already present in EAP7 - just extend domain-full-ha profile.
Required changes include enabling distributable flag in your web app web.xml - simply add <distributable/> to your web.xml.
Next add single sign on flag to your undertow system:
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on/> <!-- FIXME: enable SSO here -->
</host>
And enable cache container required for clustered SSO to work - this requires Infinishpan subsystem, which you might now have, if you only extended standalone-ha profile. If you do not see Infinispan subsystem, have a look at standalone-full of standalone-full-ha profiles. If you do not have it already, add web cache:
/subsystem=infinispan/cache-container=web/distributed-cache=concurrent:add
/subsystem=infinispan/cache-container=web/distributed-cache=concurrent/store=file:add
Again, if you use full-ha profile of either standalone or domain mode, you will probably have these already.
Also you do not mention, if you use JBoss security domain for authorization or not. In case you use some custom auth mechanism, make sure you set the session cookie or tokens correctly - for correct domain and context etc.
I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
<Connector executor="tomcatThreadPool"
port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Is it possible to add an exception/rule, that a specific HTTPrequest (http://www.example.com), will be redirected to another specific address , with a port specified (say https://www.example.com:8443/test), without changing/removing the above Connector ?
You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So you don't have to change it on the web.xml of your webapp.
That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:
<!-- Default tomcat connector, changed the redirectPort from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig>
<Certificate certificateKeyFile="/your/own/privkey.pem"
certificateFile="/eyour/own/cert.pem"
certificateChainFile="/your/own/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
The connector configuration you shown does not redirect a specific URL in the way you suppose.
That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.
I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.
So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.
Edit
As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.
To configure this HTTPS connector, you can use a configuration as following:
<Connector connectionTimeout="20000"
acceptCount="100" scheme="https" secure="true"
port="443" clientAuth="false" sslProtocol="TLS"
keystoreFile="PATH_TO_KEY_STORE"
keystorePass="KEY_STORE_PASS"
keyAlias="KEY_STORE_ALIAS"/>
This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.
The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.
I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
As malaguna answered, that Connector configuration is not a redirection rule. It is just a setting that is used when performing redirection triggered by <transport-guarantee>CONFIDENTIAL</transport-guarantee>.
There is no way to overwrite that setting on per-application basis.
If you need better control over such redirection, you need to implement your own Filter that will implement a redirection (if (!request.isSecure()) { response.sendRedirect(...);}), or configure a 3rd party one.
// Technically, in current Tomcat 8 code the redirection triggered by transport-guarantee is performed by org.apache.catalina.realm.RealmBase.hasUserDataPermission(...) method.
If you use tomcat with httpd, you can use RewriteEngine.
With port specified is like the followings in the http.conf:
NameVirtualHost *:8443 #your specified port
<VirtualHost *:8443>
ServerName www.example.com
Redirect permanent / https://secure.example.com/
</VirtualHost>
See: RewriteHTTPToHTTPS and Redirect Request to SSL
Putting transport-guarantee CONFIDENTIAL in conf/web.xml is good, but it does not cover the manager app and the host-manager app (Tomcat 8.5.38).
My solution is to put a valve in conf/context.xml that redirects all http requests to https.
https://bitbucket.org/bunkenburg/https-valve/src/master/
It's too late to answer, still I'm sharing my experience over the same, do the following changes in
Apache Software Foundation\Tomcat 8.5\conf\web.xml
Take a restart.
Pre-Req: configure https port and disable http port(optional[I did it])
<Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="443"/>
<Connector port="443"
SSLEnabled="true"
acceptCount="100"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="550"
minSpareThreads="25"
scheme="https"
secure="true"
compression="on"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig protocols="TLSv1.2"
certificateVerification="none"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
<Certificate type="RSA"
certificateKeystoreFile="/ssl/self-signed/your-keystore.jks"
certificateKeystorePassword="123456"
certificateKeyAlias="your-alias" />
</SSLHostConfig>
</Connector>
I'm running a standard PHP application on my domain and did set that to www.johndoe.com/p/
Now, the port 80 is apparently serviced by this HTTP server (Apache, not Tomcat). Also, I installed Wildfly 8.2 on this server on port 8000. How, can I use Wildfly WAR applications on the same domain e.g. www.johndoe.com/w/?
I'm positive that there is a way of redirecting the /w/ requests to the Java EE server and keep the /p/ serviced by Apache, right?
I assume mod_proxy (http gateway) and mod_proxy_ajp are simple solutions. Can anyone reflect on my requirements and the the mod_proxy/ajp functionality?
ProxyPass /w ajp://localhost:8000/w
ProxyPassReverse /w http://www.johndoe.com/w
I do not demand load balacing or anything else sophisticated. Just the split of the two contexti. Only port 80 is accessible from the internet.
Thank you.
Okay. Here the resolution.
I added to Wildfly 8.2 standalone.xml the following ajp-listener...
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<ajp-listener name="ajp" socket-binding="ajp"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
... and bind it to the socket ...
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:28009}"/>
<socket-binding name="http" port="${jboss.http.port:28080}"/>
<socket-binding name="https" port="${jboss.https.port:28443}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="mail.johndoe.com" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Invoke service wildfly reload or service wildfly restart. To Wildfly listening on AJP requests.
Finally, add to your http.conf file of your Apache Virtual Host Domain the following:
ProxyPass /w ajp://127.0.0.1:28009/w
ProxyPassReverse /w ajp://127.0.0.1:28009/w
Also for Apache, restart with service apache2 reload.
Caution. In Parallels Plesk, the virtual host config file must be edited in /var/www/vhosts/system/johndoe.com/conf/http.conf and NOT in /var/vhosts/johndoe.com/conf/http.conf
Is it possible to run SSL and non-SSL web applications on same standalone Wildfly?
I am using Wildfly 8.1.0 (Undertow) and I am having troubles at configuring this scenario...
For example, I know how to configure either HTTP or HTTPS themselves, but whenever I try to run a configuration for both, the HTTP response is redirected to the SSL one... :(
Could somebody please point out what to change for example in the default standalone.xml?
Yes it's possible.
first you need to add bellow code in ApplicationRealm
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="abcd1234" alias="server" key-password="abcd1234"/>
</ssl>
</server-identities>
Then you required to add lisner for both http and https
<server name="default-server">
<http-listener name="default-http" socket-binding="http"/>
<https-listener name="default-https" socket-binding="https" security-realm="ApplicationRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
Now configure the connector for both http and https
<subsystem xmlns="urn:jboss:domain:remoting:2.0">
<endpoint worker="default"/>
<http-connector name="http-remoting-connector" connector-ref="default-http" security-realm="ApplicationRealm"/>
<http-connector name="https-remoting-connector" connector-ref="default-https" security-realm="ApplicationRealm"/>
</subsystem>
But generally people won't keep enable both http and https. They redirect the request from http to https.
Hoping someone can help / advise as i'm not very familiar with Apache / Tomcat .. I already have Apache in front of Tomcat with grails app deployed. I have IIs setup (by someone else) which redirects www.xyz.com/myApp to an Apache instance which runs a grails app. In my apache conf I have a proxy ..
ProxyPass /myApp http://localhost:8080/myApp
ProxyPassReverse /myApp http://localhost:8080/myApp
and I have a connector defined in my tomcat server.xml
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
This works without problem
I now want to add another app so in IIS I had setup for me www.xyz.com/myOtherApp
with
ProxyPass /myOtherApp http://localhost:8081/anotherApp
ProxyPassReverse /myOtherApp http://localhost:8081/anotherApp
in my Apache conf I added another connector
<Connector port="8081" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
When i go to www.xyz.com/myOtherApp i get the url rendered (correctly i think) as https://www.xyz.com/anotherApp but with a 404 error saying "Object not Found" ..
Can anyone help me with the config ? Is it possible to have 2 connectors on different ports
with the same proxyName ? As i say i'm not familiar with Apache/Tomcat and i'd really like to get this done asap ..
Thanks
Hi #Stefan, The apps do live on the same server and domain so i eliminated one of the connector definitions . I'm now left with
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
Also I switched on the logging (JULI) but it didn't seem to report anything . The apache error log just gives me a 404 .. I left it as HTTP rather than AJP as i'd have to setup HTTPS and i'm not sure how easy that is. So i'm left with the same problem in that one app works, the other doesn't .. Is it possible to run multiple grails apps over http as opposed to using ajp and virtual hosts ? Forgive me if i'm being stupid - i haven't had much exposure to webapps and i seem to have come to a grinding halt at what i thought should have been relatively easy - deployment !
If you want to use Apache in front of Tomcat, it's better to use mod_proxy_ajp instead of mod_proxy_http. For setting this up, see https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp.
Be sore to add
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
to your config to prevent abuse of the proxy.
If /myApp and /myOtherApp reside in the same tomcat engine, you only need a single connector for both apps. Aside from this, I can see no obvious error in your setup. Maybe you could post your tomcat's server.xml. During working on the config, using LogLevel Debug might be a good idea.
This isn't a direct answer to your question, but I was configuring Tomcat behind Apache before and I had problem with it.
I now use Amazons Elastic beanstalk...where you can deploy your grails app war file directly. It works a beautifully, especially with in built auto scaling and health monitoring!
Less configuration == Ease of life.