
<div dir="ltr">

<div><font size="3" face="Calibri,Arial,Helvetica,sans-serif" color="black"><span style="font-size:12pt;background-color:white" dir="ltr"><font face="Calibri,Arial,Helvetica,sans-serif"><font face="Calibri,Arial,Helvetica,sans-serif">Hi, <br></font></font></span></font></div><div><font size="3" face="Calibri,Arial,Helvetica,sans-serif" color="black"><span style="font-size:12pt;background-color:white" dir="ltr"><font face="Calibri,Arial,Helvetica,sans-serif"><font face="Calibri,Arial,Helvetica,sans-serif"><br></font></font></span></font></div><font size="3" face="Calibri,Arial,Helvetica,sans-serif" color="black"><span style="font-size:12pt;background-color:white" dir="ltr"><font face="Calibri,Arial,Helvetica,sans-serif"><font face="Calibri,Arial,Helvetica,sans-serif"><div>

<div style="margin-top:0px;margin-bottom:0px">after successful login on Keycloak webpage the user is not redirected to real backend service.</div>

<div style="margin-top:0px;margin-bottom:0px">The event log shows request to non-existent backend server (127.0.0.1) using malformed scheme (HTTPS with port 80).</div>

<div style="margin-top:0px;margin-bottom:0px"><a href="https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token" target="_blank">https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token"</a></div>

<div style="margin-top:0px;margin-bottom:0px"> <br>


</div>

<div style="margin-top:0px;margin-bottom:0px">I've published two sites via Nginx:</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">1. Application: <a href="https://app.domain.com" target="_blank">https://app.domain.com</a></div>

<div style="margin-top:0px;margin-bottom:0px">Application is running on backend IIS server <a href="https://appbackend.domain.com" target="_blank">https://appbackend.domain.com</a></div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">NGINX Virtual host config:</div>

<div style="margin-top:0px;margin-bottom:0px">a) Headers set: <br>


</div>

<div style="margin-top:0px;margin-bottom:0px">proxy_set_header X-Forwarded-Proto $scheme;<br>


proxy_set_header Host $host; <br>


proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme";<br>


proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>


proxy_set_header Referer $http_referer;<br>


proxy_set_header X-Real-IP $remote_addr;<br>


proxy_set_header X-Forwarded-Port $server_port;<br>


proxy_set_header Upgrade $http_upgrade;<br>


proxy_set_header Connection "upgrade";</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">b) Keycloak part</div>

<div style="margin-top:0px;margin-bottom:0px">include conf.d/openid_connect.server_conf; <br>


set $oidc_authz_endpoint "<a href="https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/auth">https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/auth</a>";<br>


set $oidc_token_endpoint "<a href="https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/token">https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/token</a>";<br>


set $oidc_client         "NGINX-Plus";<br>


set $oidc_client_secret  "acdce7.......7460";<br>


set $oidc_jwt_keyfile    "<a href="https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/certs">https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/certs</a>";<br>


set $oidc_hmac_key       "38...asfumg3";</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">c) location part</div>

<div style="margin-top:0px;margin-bottom:0px">auth_jwt "" token=$session_jwt;<br>


error_page 401 = @do_oidc_flow;<br>


auth_jwt_key_request /_jwks_uri;<br>


</div>

<div style="margin-top:0px;margin-bottom:0px">proxy_set_header username $jwt_claim_sub;<br>


proxy_pass      <a href="https://appbackend.domain.com">https://appbackend.domain.com</a>;<br>


<br>


<br>


</div>

<div style="margin-top:0px;margin-bottom:0px">2. Keycloak: <a href="https://keycloak.domain.com" target="_blank">https://keycloak.domain.com</a></div>

<div style="margin-top:0px;margin-bottom:0px">Keycloak is running as a docker on separated virtual machine <a href="http://keycloak1.domain.com">keycloak1.domain.com</a>.</div>

<div style="margin-top:0px;margin-bottom:0px">Port redirection:</div>

<div style="margin-top:0px;margin-bottom:0px">- tcp/80 -> tcp/8080</div>

<div style="margin-top:0px;margin-bottom:0px">- tcp/443 -> tcp/8443</div>

<div style="margin-top:0px;margin-bottom:0px">SSL certificate is installed and activated.</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">1. Headers set: <br>


proxy_set_header X-Forwarded-Proto $scheme;<br>


proxy_set_header Host $host; <br>


proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme";<br>


proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>


proxy_set_header Referer $http_referer;<br>


proxy_set_header X-Real-IP $remote_addr;<br>


proxy_set_header X-Forwarded-Port $server_port;<br>


proxy_set_header Upgrade $http_upgrade;<br>


proxy_set_header Connection "upgrade";<br>


</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">2. Backend</div>

<div style="margin-top:0px;margin-bottom:0px">proxy_pass      <a href="https://keycloak1.domain.com" target="_blank">https://keycloak1.domain.com;</a></div>

<div style="margin-top:0px;margin-bottom:0px">## Same issue if HTTP is user instead of HTTPS</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">3. Client configuration - admin part</div>

<div style="margin-top:0px;margin-bottom:0px">Valid Redirect URIs: <a href="https://app.domain.com:443/_codexch" target="_blank">https://app.domain.com:443/_codexch</a></div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">NGINX logs</div>

<div style="margin-top:0px;margin-bottom:0px"> /var/log/nginx/app.domain.com-access.log <==<br>


remote_addr=184.55.14.22 - remote_user=- 

time_local=[17/Oct/2021:09:06:17 +0200] request="GET / HTTP/2.0" 

status=302 body_bytes_sent=145 http_referer="-" 

http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) 

Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-"

request_time=0.002 upstream_connect_time="-" upstream_header_time="-" 

upstream_response_time="-" server_name=<a href="http://app.domain.com">app.domain.com</a> uri="/"<br>


<br>


<br>


==> /var/log/nginx/keycloak.domain.com-access.log <==<br>


remote_addr=184.55.14.22 - remote_user=- 

time_local=[17/Oct/2021:09:06:17 +0200] request="GET 

/auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email+offline_access&client_id=NGINX-Plus&redirect_uri=<a href="https://app.domain.com:443/_codexch&nonce=5--Pw-iCkTs1hR-3V6wgLkd2vZNC0ys0NM9fRR4D1c8&state=0

HTTP/2.0">https://app.domain.com:443/_codexch&nonce=5--Pw-iCkTs1hR-3V6wgLkd2vZNC0ys0NM9fRR4D1c8&state=0

HTTP/2.0</a>" status=302 body_bytes_sent=0 http_referer="-" 

http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) 

Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-" request_time=0.032

 upstream_connect_time="0.020" upstream_header_time="0.032" 

upstream_response_time="0.032"

server_name=<a href="http://keycloak.domain.com">keycloak.domain.com</a> 

uri="/auth/realms/master/protocol/openid-connect/auth"<br>


1c8&state=0 HTTP/2.0", status=302, 

waf_policy=Complete_OWASP_Top_Ten, waf_request_id=13388773729652827719, 

waf_action=PASSED, waf_action_reason=SECURITY_WAF_OK<br>


<br>


==> /var/log/nginx/app.domain.com-error.log <==<br>


2021/10/17 09:06:18 [error] 3352262#3352262: *406 connect() failed (111:

 Connection refused) while connecting to upstream, client: 184.55.14.22,

 server: <a href="http://app.domain.com">app.domain.com</a>, request: "GET 

/_codexch?state=0&session_state=0b783755-9b00-4b0f-9e63-1a047680272c&code=07ce9447-19a7-443f-abfb-54e92819a34a.0b783755-9b00-4b0f-9e63-1a047680272c.98d80b2d-9f0d-482a-bdfd-b680834bb9bc

HTTP/2.0", subrequest: "/_token", upstream: 

"<a href="https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token">https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token</a>",

 host: "<a href="http://app.domain.com">app.domain.com</a>"<br>


</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">Any help would be really appreciated.</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">Regards,</div>

<div style="margin-top:0px;margin-bottom:0px"><br>


</div>

<div style="margin-top:0px;margin-bottom:0px">Jernej</div></div></font></font></span></font>


</div>