From f131ae98a855dbcf7e2b1f8fcfbab33a3fe7a8b3 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Sat, 4 Dec 2021 10:49:11 -0800 Subject: [PATCH] Correct keycloak proxy config Some extra steps are needed to use keycloak with a reverse proxy. This adjusts the apache config to send the required headers and the keycloak server config to use them. Since the openid configuration json page is constructed entirely from these headers (and not from static configuration), this is a good test that the entire system is working. Change-Id: I662dc85836d640cb732f12f39e9a61607767fcf3 --- .../roles/keycloak/templates/docker-compose.yaml.j2 | 1 + playbooks/roles/keycloak/templates/keycloak.vhost.j2 | 2 ++ testinfra/test_keycloak.py | 10 ++++++++++ 3 files changed, 13 insertions(+) diff --git a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 index 0e0eeb7429..59f53de52e 100644 --- a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 +++ b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 @@ -11,6 +11,7 @@ services: - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}" - DB_VENDOR=h2 + - PROXY_ADDRESS_FORWARDING=true command: -Djboss.bind.address.private=127.0.0.1 -Djboss.bind.address=127.0.0.1 diff --git a/playbooks/roles/keycloak/templates/keycloak.vhost.j2 b/playbooks/roles/keycloak/templates/keycloak.vhost.j2 index 5d78af2262..f88d2b7b37 100644 --- a/playbooks/roles/keycloak/templates/keycloak.vhost.j2 +++ b/playbooks/roles/keycloak/templates/keycloak.vhost.j2 @@ -50,6 +50,8 @@ ProxyPass / http://localhost:8080/ retry=0 ProxyPassReverse / http://localhost:8080/ + ProxyPreserveHost on + RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} diff --git a/testinfra/test_keycloak.py b/testinfra/test_keycloak.py index 02cd0e9f74..96ce0c885c 100644 --- a/testinfra/test_keycloak.py +++ b/testinfra/test_keycloak.py @@ -20,3 +20,13 @@ testinfra_hosts = ['keycloak01.opendev.org'] def test_keycloak_listening(host): keycloak = host.socket("tcp://127.0.0.1:8080") assert keycloak.is_listening + +def test_keycloak_openid_config(host): + # This tests the proxy config since the output is determined by + # the proxy headers and is not hard-coded configuration. + cmd = host.run('curl --insecure ' + '--resolve keycloak.opendev.org:443:127.0.0.1 ' + 'https://keycloak.opendev.org/auth/realms/master' + '/.well-known/openid-configuration') + assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"' + in cmd.stdout)