<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
        {margin-top:0;
        margin-bottom:0}--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p><br>
</p>
<div dir="ltr" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<div>
<div dir="ltr" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<div id="divRplyFwdMsg" dir="ltr"></div>
Hi,
<div>
<p>after successful login on Keycloak webpage the user is not redirected to real backend service.</p>
<p>The event log shows request to non-existent backend server (127.0.0.1) using malformed scheme (HTTPS with port 80).</p>
<p><a href="https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token">https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token"</a></p>
<p> <br>
</p>
<p>I've published two sites via Nginx:</p>
<p><br>
</p>
<p>1. Application: <a href="https://app.domain.com">https://app.domain.com</a></p>
<p>Application is running on backend IIS server <a href="https://appbackend.domain.com">
https://appbackend.domain.com</a></p>
<p><br>
</p>
<p>NGINX Virtual host config:</p>
<p>a) Headers set: <br>
</p>
<p>proxy_set_header X-Forwarded-Proto $scheme;<br>
proxy_set_header Host $host; <br>
proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme";<br>
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>
proxy_set_header Referer $http_referer;<br>
proxy_set_header X-Real-IP $remote_addr;<br>
proxy_set_header X-Forwarded-Port $server_port;<br>
proxy_set_header Upgrade $http_upgrade;<br>
proxy_set_header Connection "upgrade";</p>
<p><br>
</p>
<p>b) Keycloak part</p>
<p>include conf.d/openid_connect.server_conf; <br>
set $oidc_authz_endpoint "https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/auth";<br>
set $oidc_token_endpoint "https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/token";<br>
set $oidc_client         "NGINX-Plus";<br>
set $oidc_client_secret  "acdce7.......7460";<br>
set $oidc_jwt_keyfile    "https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/certs";<br>
set $oidc_hmac_key       "38...asfumg3";</p>
<p><br>
</p>
<p>c) location part</p>
<p>auth_jwt "" token=$session_jwt;<br>
error_page 401 = @do_oidc_flow;<br>
auth_jwt_key_request /_jwks_uri;<br>
</p>
<p>proxy_set_header username $jwt_claim_sub;<br>
proxy_pass      https://appbackend.domain.com;<br>
<br>
<br>
</p>
<p>2. Keycloak: <a href="https://keycloak.domain.com">https://keycloak.domain.com</a></p>
<p>Keycloak is running as a docker on separated virtual machine keycloak1.domain.com.</p>
<p>Port redirection:</p>
<p>- tcp/80 -> tcp/8080</p>
<p>- tcp/443 -> tcp/8443</p>
<p>SSL certificate is installed and activated.</p>
<p><br>
</p>
<p>1. Headers set: <br>
proxy_set_header X-Forwarded-Proto $scheme;<br>
proxy_set_header Host $host; <br>
proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme";<br>
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>
proxy_set_header Referer $http_referer;<br>
proxy_set_header X-Real-IP $remote_addr;<br>
proxy_set_header X-Forwarded-Port $server_port;<br>
proxy_set_header Upgrade $http_upgrade;<br>
proxy_set_header Connection "upgrade";<br>
</p>
<p><br>
</p>
<p>2. Backend</p>
<p>proxy_pass      <a href="https://keycloak1.domain.com">https://keycloak1.domain.com;</a></p>
<p>## Same issue if HTTP is user instead of HTTPS</p>
<p><br>
</p>
<p>3. Client configuration - admin part</p>
<p>Valid Redirect URIs: <a href="https://app.domain.com:443/_codexch">https://app.domain.com:443/_codexch</a></p>
<p><br>
</p>
<p>NGINX logs</p>
<p> /var/log/nginx/app.domain.com-access.log <==<br>
remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17 +0200] request="GET / HTTP/2.0" status=302 body_bytes_sent=145 http_referer="-" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-"
 request_time=0.002 upstream_connect_time="-" upstream_header_time="-" upstream_response_time="-" server_name=app.domain.com uri="/"<br>
<br>
<br>
==> /var/log/nginx/keycloak.domain.com-access.log <==<br>
remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17 +0200] request="GET /auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email+offline_access&client_id=NGINX-Plus&redirect_uri=https://app.domain.com:443/_codexch&nonce=5--Pw-iCkTs1hR-3V6wgLkd2vZNC0ys0NM9fRR4D1c8&state=0
 HTTP/2.0" status=302 body_bytes_sent=0 http_referer="-" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-" request_time=0.032 upstream_connect_time="0.020" upstream_header_time="0.032"
 upstream_response_time="0.032" server_name=keycloak.domain.com uri="/auth/realms/master/protocol/openid-connect/auth"<br>
1c8&state=0 HTTP/2.0", status=302, waf_policy=Complete_OWASP_Top_Ten, waf_request_id=13388773729652827719, waf_action=PASSED, waf_action_reason=SECURITY_WAF_OK<br>
<br>
==> /var/log/nginx/app.domain.com-error.log <==<br>
2021/10/17 09:06:18 [error] 3352262#3352262: *406 connect() failed (111: Connection refused) while connecting to upstream, client: 184.55.14.22, server: app.domain.com, request: "GET /_codexch?state=0&session_state=0b783755-9b00-4b0f-9e63-1a047680272c&code=07ce9447-19a7-443f-abfb-54e92819a34a.0b783755-9b00-4b0f-9e63-1a047680272c.98d80b2d-9f0d-482a-bdfd-b680834bb9bc
 HTTP/2.0", subrequest: "/_token", upstream: "https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token", host: "app.domain.com"<br>
</p>
<p><br>
</p>
<p>Any help would be really appreciated.</p>
<p><br>
</p>
<p>Regards,</p>
<p><br>
</p>
<p>Jernej<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
</div>
</div>
</div>
</div>
</body>
</html>