【发布时间】:2021-03-24 16:03:53
【问题描述】:
我已将 Apache httpd 配置为带有 SSL 的反向代理。我正在尝试在代理后面使用 http 配置 keycloak 和 guacamole。我正在使用 keycloak、mysql、guacd 和 guacamole 容器。我的整个流程都在工作,直到 keycloak 尝试重定向回鳄梨酱页面。仅供参考...我的配置与以下问题非常相似,但不同的访问错误如下所示:How to configure Keycloak to work with Guacamole's OpenID plugin?
因此,用户通过:https://example.com/guacamole/ 访问网络服务器。 Httpd 重定向到 http://guacamole:8080/guacamole。鳄梨酱重定向到 keycloak 进行身份验证。以有效用户身份登录,重定向到 guacamole 失败。
我的鳄梨酱配置为:
openid-jwks-endpoint: https://example.com/auth/realms/Guacamole-test/protocol/openid-connect/certs
openid-issuer: https://example.com/auth/realms/Guacamole-test
openid-client-id: Guacamole
openid-redirect-uri: https://example.com/guacamole/
我的httpd配置:
ServerName example.com
SSLEngine On
SSLCertificateFile /opt/test.crt
SSLCertificateKeyFile /opt/test.key
ProxyPass /guacamole/ http://guacamole:8080/guacamole/ flushpackets=on
ProxyPassReverse /guacamole/ http://guacamole:8080/guacamole/
ProxyPass /guacamole/websocket-tunnel ws://guacamole:8080/guacamole/websocket-tunnel
ProxyPassReverse /guacamole/websocket-tunnel ws://guacamole:8080/guacamole/websocket-tunnel
ProxyPass /auth/ http://keycloak:8080/auth/
ProxyPassReverse /auth/ http://keycloak:8080/auth/
</VirtualHost>
我在鳄梨酱中遇到以下错误:
INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "bSv9K9W2us7SaUamJP3bWD1HWJuo6hbne2t3Gsc6V44"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while obtaining or using keys from JWKS endpoint at https://example.com/auth/realms/ocprealm/protocol/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "bSv9K9W2us7SaUamJP3bWD1HWJuo6hbne2t3Gsc6V44"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiU3Y5SzlXMnVzN1NhVWFtSlAzYldEMUhXSnVvNmhibmUydDNHc2M2VjQ0In0.eyJleHAiOjE2MDc5MDE3NDAsImlhdCI6MTYwNzkwMDg0MCwiYXV0aF90aW1lIjoxNjA3OTAwODI1LCJqdGkiOiJhYmI1MDY5Zi01MTYzLTQ2ZjUtODA2ZC05M2ZkODU2YmQxMzciLCJpc3MiOiJodHRwczovL3Vzd2Rzcy5wcm9nZW55Lm5ldC9hdXRoL3JlYWxtcy9vY3ByZWFsbSIsImF1ZCI6Ikd1YWNhbW9sZSIsInN1YiI6IjE4MDRjOWJiLTZiOTEtNDY0YS04N2I1LWQ4MDNiY2Y3YWZmNCIsInR5cCI6IklEIiwiYXpwIjoiR3VhY2Ftb2xlIiwibm9uY2UiOiJoazc5NmlmZHUwdmdvcjJxcnZidDNqZmowcCIsInNlc3Npb25fc3RhdGUiOiJiZWNjZTZmOS01MDQ2LTQzMWEtOTQzNy1hMDczYTRhNDZhNGIiLCJhY3IiOiIwIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiR3V5IFNoZXBoZXJkIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZ3NoZXBoZXJkIiwiZ2l2ZW5fbmFtZSI6Ikd1eSIsImZhbWlseV9uYW1lIjoiU2hlcGhlcmQiLCJlbWFpbCI6ImdzaGVwaGVyZEBwcm9nZW55Lm5ldCJ9.Fm2Vfep4N611KwSJc6MvhH80C3wca_T2If1YSVhzZdeC2eVh-v0_OCnEshcl_huta4a2VqolraqmqMDaxalAdnHO4jes71a2ndDfwoCnp1B06EBPL8kNnQeIHNM3fYps2GuhBqWLmfDDSIvXPlcnctrPKop8PQDglHSsiJOGgWgzfrQbG1zFlw0jupJVaYGY6P8q3Lji5ryIcStNATcuf1dCvF_v1oqoacYsRNFljyg7Xf0ZQIuA53xY3czKkiVVqZt55LArjAv1cPmrekkf77NlGpFzPbyw29_yItAy1rPqxfYphYDCm55qM97agjIE7WsKKC5lHwZ6gCWoMIcrMw
我不明白为什么它试图在最终重定向上使用 SSL 验证。我相信在 keycloak 验证登录并尝试重定向回https://example.com/guacamole/ 之后,httpd 配置应该将其代理到 http://guacamole:8080/guacamole。我还尝试根据 keycloak 文档使用 tls.key 和 tls.crt 配置 keycloak,看看它是否有任何区别,但没有。 任何帮助将不胜感激,因为我显然缺少或不理解配置中的某些内容。
【问题讨论】:
-
您的
tls.crt(或/opt/test.crt)看起来不正确。你是如何产生它的? (盲目猜测让我们加密?)。您能否提供真实的 URL,而不是通用的https://example.com/用于证书路径验证? -
鳄梨酱默认情况下只会记录“信息”级别或更高级别的消息。您可以将 guacamole 配置为记录“调试”消息以查找更多信息。这需要将
logback.xml文件放置在GUACAMOLE_HOME。您可以在这里找到详细信息:guacamole.apache.org/doc/1.2.0/gug/… -
您是否忘记在您的鳄梨酱配置文件中为
openid-authorization-endpoint提供值?openid扩展中似乎需要它。参考:guacamole.apache.org/doc/gug/openid-auth.html
标签: keycloak httpd.conf guacamole