Correct keycloak proxy config

Some extra steps are needed to use keycloak with a reverse proxy.
This adjusts the apache config to send the required headers and
the keycloak server config to use them.

Since the openid configuration json page is constructed entirely
from these headers (and not from static configuration), this is
a good test that the entire system is working.

Change-Id: I662dc85836d640cb732f12f39e9a61607767fcf3
This commit is contained in:
James E. Blair 2021-12-04 10:49:11 -08:00
parent 94bc7c1455
commit f131ae98a8
3 changed files with 13 additions and 0 deletions

View File

@ -11,6 +11,7 @@ services:
- KEYCLOAK_USER=admin - KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}" - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}"
- DB_VENDOR=h2 - DB_VENDOR=h2
- PROXY_ADDRESS_FORWARDING=true
command: command:
-Djboss.bind.address.private=127.0.0.1 -Djboss.bind.address.private=127.0.0.1
-Djboss.bind.address=127.0.0.1 -Djboss.bind.address=127.0.0.1

View File

@ -50,6 +50,8 @@
ProxyPass / http://localhost:8080/ retry=0 ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost> </VirtualHost>

View File

@ -20,3 +20,13 @@ testinfra_hosts = ['keycloak01.opendev.org']
def test_keycloak_listening(host): def test_keycloak_listening(host):
keycloak = host.socket("tcp://127.0.0.1:8080") keycloak = host.socket("tcp://127.0.0.1:8080")
assert keycloak.is_listening assert keycloak.is_listening
def test_keycloak_openid_config(host):
# This tests the proxy config since the output is determined by
# the proxy headers and is not hard-coded configuration.
cmd = host.run('curl --insecure '
'--resolve keycloak.opendev.org:443:127.0.0.1 '
'https://keycloak.opendev.org/auth/realms/master'
'/.well-known/openid-configuration')
assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"'
in cmd.stdout)