Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow overriding the host header using X-Forwarded-Host

See original GitHub issue

Describe the bug

I run a httpd server as reverse proxy upfront a keycloak. The TTLs termination is done by the httpd server. In order to pass the incoming requests to keycloak-node we use a secured connection via https with a self signed CA which is setup for the whole internal backend infrastructure.

The Proxy-Userguide expects a preserved Host header, which is not possible since this will fail the certificate check during the proxy action.

If i do not preserve the Host to keycloak and navigate to to the admin-console the browser wants to load a resource which is of the same origin of the Host-Header (which is internal keycloak adress) not the X-Forwarded-For value. The admin console cannot be loaded because the browser cannot directly load anything from the internal backend network.

curl -v https://somepublic.domain.com/auth/admin/master/console/ returns a html-response which contains a script resource with url stage-kc <script src="https://stage-kc/auth/js/keycloak.js?version=dvfah" type="text/javascript"></script>

Same for authUrl of the master / console => this is an internal address, this should either be not relevant or exposed to public.

 <script type="text/javascript">
        var authServerUrl = 'https://somepublic.domain.com/auth';
        var authUrl = 'https://stage-kc/auth';
        var consoleBaseUrl = '/auth/admin/master/console/';
        var resourceUrl = '/auth/resources/dvfah/admin/keycloak';
        var masterRealm = 'master';
        var resourceVersion = 'dvfah';
    </script>

I also tried with the feature admin2, which also fails loading and even requests calls to

http://127.0.0.1:8080/auth/admin/master/console/whoami

Version

17.0.1

Expected behavior

The UI resources urls respect the set X-Forwarded-For header and do not rely on the Host header.

should return a public facing url <script src="https://somepublic.domain.com/auth/js/keycloak.js?version=dvfah" type="text/javascript"></script>

Actual behavior

Do not rely on the Host-Header for url-path. Rather use the X-Forwarded-* header values.

How to Reproduce?

apache httpd config

<Location /auth>
               ProxyPass            https://STAGE-KC:8343/auth
               ProxyPassReverse     https://STAGE-KC:8343/auth
               ProxyPassReverseCookieDomain  "STAGE-KC"  "somepublic.domain.com"
               RequestHeader set X-Forwarded-Proto "https"
               RequestHeader set X-Forwarded-Port "443"
               RequestHeader set X-Forwarding-For "somepublic.domain.com"
               RequestHeader set X-Forwarded-For "somepublic.domain.com"
               RequestHeader set X-Forwarded-Host "somepublic.domain.com"
    </Location>

keycloak.conf

proxy=reencrypt
hostname=stage-kc
http-enabled=true
http-host=0.0.0.0
http-port=8383
https-port=8343
http-relative-path=/auth

spi-x509cert-lookup-apache-ssl-client-cert=SSL_CLIENT_CERT
spi-x509cert-lookup-apache-ssl-cert-chain-prefix=CERT_CHAIN
spi-x509cert-lookup-apache-certificate-chain-length=2

keycloak build I used --spi-x509cert-lookup-provider=apache for the upfront keycloak build.

Anything else?

No response

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:10 (5 by maintainers)

Top GitHub Comments

1reaction

stianstcommented, Mar 30, 2022

Forgot about that one. Yeah, so we definitely need to support X-Forwaded-For, which should just be enabled when proxy != none

1reaction

joao-rebelocommented, Mar 30, 2022

Hi,

Just upvoting as I’m facing the same issue on a docker-compose environment with Spring Cloud Gateway on front. Keycloak Admin is returning with internal container name instead of respecting the X-Forward-for. This is now visible due to the Hostname changes for Admin that were introduced with 17.0.1.

Details for my scenario are described at Discourse: https://keycloak.discourse.group/t/keycloak-17-0-1-admin-console-on-edge-mode/14584

Had to revert back to 17.0.0 to resume work.

Top Results From Across the Web

Reverse Proxy - allow overriding X-Forwarded-Host ... - GitHub

If the Internet Facing Proxy sets X-Forwarded-Host header on SF Reverse Proxy Stateful Service receives two headers - in my opinion SF Reverse ......

X-Forwarded-Host - HTTP - MDN Web Docs

The X-Forwarded-Host (XFH) header is a de-facto standard header for identifying the original host requested by the client in the Host HTTP ......

Host Header - What is an HTTP Host Header injection?

Reject override headers. Host override headers, such as X-Host and X-Forwarded-Host, are frequently used in header injections. Servers sometimes ...

How to identify and exploit HTTP Host header vulnerabilities

Inject host override headers. Even if you can't override the Host header using an ambiguous request, there are other possibilities for overriding its...

Real life usage of the X-Forwarded-Host header?

I understand the need to repeat the connection on a different port or using a different scheme, but why would a proxy server...