Reverse proxy from NGINX to Keycloak with 2FA

Joncheski nginx-forum at forum.nginx.org
Mon Apr 23 08:43:26 UTC 2018


Hello all,

I have a problem with NGINX. In addition, I will provide you with a
configuration file and a picture of the architecture schema (
https://ibb.co/jqvc8c ).

I want to access Keycloak via nginx and log in to it. I use it as an
Identity Management where I have a login with a username and password and a
certificate where I check the certificate, that is 2FA. My problem is that
when I access the browser through NGINX, I do not get popup to submit my
user certificate, but then go to the second step to enter a username and
password, but after that, Keycloak tells me I'm missing a certificate.

Something I've tried and worked on is if I add these things to the
configuration file, proxy_ssl_certificate and proxy_ssl_certificate_key will
pass it on, but only for one user. An example if proxy_ssl_certificate and
proxy_ssl_certificate_key are a certificate and a key from the user
joncheski and log in to Keycloak with the user joncheski will pass
successfully. But if I want to log in with another user, it will not pass,
because the certificate and the username are not equal.
I need your help. How to set this up for more users to work.

nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

server_name nginx.poc.com;

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;
ssl_prefer_server_ciphers on;
ssl_ciphers
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_certificate /etc/nginx/certs/server/SERVER.crt;
ssl_certificate_key /etc/nginx/certs/server/SERVER.key;
ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;

#KEYCLOAK
location '/auth' {
proxy_pass https://keycloak.poc.com:8443/auth;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_http_version 1.1;

}
}
}

Best regards,
Goce Joncheski

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279549,279549#msg-279549



More information about the nginx mailing list