如何配置两个反向代理后面的密钥斗篷? - java

我有一个关于Apache用作反向代理和Keycloak的问题。
除了我的反向代理外,还有另一个反向代理,供客户的应用程序使用。

我要登录Keycloak的管理控制台。
尝试在本地执行此操作按预期方式进行:http://localhost/application1/auth/admin/
显示登录表单,我可以成功登录。

但是尝试从外部URL登录不起作用:
https://externalurl.com/application1/auth/admin/

显示登录表单,我提交表单,然后再次显示(空)表单。
Cookie AUTH_SESSION_ID,KC_RESTART,KEYCLOAK_IDENTITY和KEYCLOAK_SESSION设置正确。

Apache的access.log中的视图显示以下内容:
(本地和工作电话)

10.1.7.192 - - [29/May/2019:11:16:27 +0200] "GET /auth/admin/master/console HTTP/1.1" 302 -
10.1.7.192 - - [29/May/2019:11:16:28 +0200] "GET /auth/admin/master/console/ HTTP/1.1" 200 8198
10.1.7.192 - - [29/May/2019:11:16:29 +0200] "GET /auth/admin/master/console/config HTTP/1.1" 200 195
10.1.7.192 - - [29/May/2019:11:16:29 +0200] "GET /auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fexternalurl.com%2Fapplication1%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=cef5a6cb-4327-45e7-8e97-0b3e74a27ea6&response_mode=fragment&response_type=code&scope=openid&nonce=35edfb09-a16a-41dc-83d6-453393e61391 HTTP/1.1" 200 3120
10.1.7.192 - - [29/May/2019:11:16:33 +0200] "POST /auth/realms/master/login-actions/authenticate?session_code=5iqyNYW56tGETAGGHLEp54m5JbEXU4us-kDe1S1k10Q&execution=ee5e5166-6dcf-47d1-a130-521aaedfd08d&client_id=security-admin-console&tab_id=VF8WaW2--uM HTTP/1.1" 302 -
10.1.7.192 - - [29/May/2019:11:16:33 +0200] "GET /auth/admin/master/console/ HTTP/1.1" 200 8198
10.1.7.192 - - [29/May/2019:11:16:33 +0200] "GET /auth/admin/master/console/config HTTP/1.1" 200 195
--- differences start here
10.1.7.192 - - [29/May/2019:11:16:33 +0200] "GET /auth/admin/master/console/ HTTP/1.1" 200 8198
10.1.7.192 - - [29/May/2019:11:16:33 +0200] "GET /auth/admin/master/console/config HTTP/1.1" 200 195
10.1.7.192 - - [29/May/2019:11:16:33 +0200] "GET /auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fexternalurl.com%2Fapplication1%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=8931d4e0-d9b6-41fc-92ef-1e937d5c7704&response_mode=fragment&response_type=code&scope=openid&nonce=fedd80bb-a5e0-4ea1-ad6e-77a8ab0b9938 HTTP/1.1" 200 3120

但是从外部客户端尝试我得到此消息:

::1 - - [29/May/2019:11:14:54 +0200] "GET /application1/auth/admin/master/console HTTP/1.1" 302 -
::1 - - [29/May/2019:11:14:55 +0200] "GET /application1/auth/admin/master/console/ HTTP/1.1" 200 8198
::1 - - [29/May/2019:11:14:55 +0200] "GET /application1/auth/admin/master/console/config HTTP/1.1" 200 183
::1 - - [29/May/2019:11:14:55 +0200] "GET /application1/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=http%3A%2F%2Flocalhost%2Fapplication1%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=6815eac5-5809-4965-a802-b6ba9479a8d8&response_mode=fragment&response_type=code&scope=openid&nonce=852c3a37-90ed-4bdc-a9dd-50c4ec1291aa HTTP/1.1" 200 3108
::1 - - [29/May/2019:11:15:02 +0200] "POST /application1/auth/realms/master/login-actions/authenticate?session_code=Ehw_zcZmjJruVvIJiajTLqBbN49M7wbsRSoCi24y8MQ&execution=ee5e5166-6dcf-47d1-a130-521aaedfd08d&client_id=security-admin-console&tab_id=qV6HNXsVgtU HTTP/1.1" 302 -
::1 - - [29/May/2019:11:15:02 +0200] "GET /application1/auth/admin/master/console/ HTTP/1.1" 200 8198
::1 - - [29/May/2019:11:15:02 +0200] "GET /application1/auth/admin/master/console/config HTTP/1.1" 200 183
--- differences start here
::1 - - [29/May/2019:11:15:03 +0200] "POST /application1/auth/realms/master/protocol/openid-connect/token HTTP/1.1" 200 3102
::1 - - [29/May/2019:11:15:03 +0200] "GET /application1/auth/admin/master/console/messages.json?lang=en HTTP/1.1" 200 116906
::1 - - [29/May/2019:11:15:03 +0200] "GET /application1/auth/admin/master/console/whoami HTTP/1.1" 200 443
::1 - - [29/May/2019:11:15:03 +0200] "GET /application1/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console&origin=http%3A%2F%2Flocalhost HTTP/1.1" 204 -
::1 - - [29/May/2019:11:15:03 +0200] "GET /application1/auth/admin/serverinfo HTTP/1.1" 200 142210
::1 - - [29/May/2019:11:15:03 +0200] "GET /application1/auth/admin/realms HTTP/1.1" 200 3113
::1 - - [29/May/2019:11:15:04 +0200] "GET /application1/auth/admin/realms/master HTTP/1.1" 200 3111
::1 - - [29/May/2019:11:15:04 +0200] "GET /application1/auth/admin/realms HTTP/1.1" 200 3113
::1 - - [29/May/2019:11:15:04 +0200] "GET /application1/auth/admin/realms HTTP/1.1" 200 3113
::1 - - [29/May/2019:11:15:04 +0200] "GET /application1/auth/admin/realms HTTP/1.1" 200 3113

当然,Keycloak的standalone.xml设置为:

<web-context>application1/auth</web-context>

<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>

最后是我的apache配置的相关部分:

DumpIOInput On
DumpIOOutput On
LogLevel debug
ForensicLog logs/forensic.txt

ProxyPreserveHost Off
RemoteIPHeader X-Forwarded-For

LogLevel debug

<LocationMatch "^/(application1/auth)/*">
    ProxyPass http://localhost:8180
    ProxyPassReverse http://localhost:8180
</LocationMatch>

<LocationMatch "^/(auth)/*">
    ProxyPass http://localhost:8180/application1
    ProxyPassReverse http://localhost:8180/application1
</LocationMatch>

###This reads the value of X-ORIG-HOST into TempValue
SetEnvIf X-ORIG-HOST ".+" TempValue=$0
###This will overwrite the value of "Host" if it was already set
RequestHeader set Host %{TempValue}e env=TempValue

ProxyPassReverseCookiePath "/application1/" "/"

有人可以帮我还是提示我下一步要去哪里?
谢谢!

参考方案

在传递给keycloak的nginx代理之上的一个ssl反向代理(haproxy)也存在类似问题。有了白页而不是管理控制台。显然,这是由于refreshpermissions js函数在keycloak上请求whoami api并获得401导致的。尝试使用x转发的标头进行的所有操作均未成功。

Java-搜索字符串数组中的字符串 - java

在Java中,我们是否有任何方法可以发现特定字符串是字符串数组的一部分。我可以避免出现一个循环。例如String [] array = {"AA","BB","CC" }; string x = "BB" 我想要一个if (some condition to tell wheth…

Java RegEx中的单词边界\ b - java

我在使用\b作为Java Regex中的单词定界符时遇到困难。对于text = "/* sql statement */ INSERT INTO someTable"; Pattern.compile("(?i)\binsert\b");找不到匹配项Pattern insPtrn = Pattern.compile(&…

使用Java和async-http-client通过基本身份验证获取URL内容 - java

我正在编写Java库,需要执行对URL的请求-当前使用ning中的async-http-client-并获取其内容。所以我有一个get方法返回一个String所获取文档的内容。但是,要获得它,我必须执行HTTP基本身份验证,而我的Java代码中却没有成功:public String get(String token) throws IOException {…

Java Double与BigDecimal - java

我正在查看一些使用双精度变量来存储(360-359.9998779296875)结果为0.0001220703125的代码。 double变量将其存储为-1.220703125E-4。当我使用BigDecimal时,其存储为0.0001220703125。为什么将它双重存储为-1.220703125E-4? 参考方案 我不会在这里提及精度问题,而只会提及数字…

当回复有时是一个对象有时是一个数组时,如何在使用改造时解析JSON回复? - java

我正在使用Retrofit来获取JSON答复。这是我实施的一部分-@GET("/api/report/list") Observable<Bills> listBill(@Query("employee_id") String employeeID); 而条例草案类是-public static class…