Welcome! Log In Create A New Profile

Advanced

Reverse proxy from NGINX to Keycloak with 2FA

Posted by Joncheski 
Forum List Message List New Topic
Joncheski
Reverse proxy from NGINX to Keycloak with 2FA
April 18, 2018 05:21PM
Hello all,

I have a problem with NGINX. In addition, I will provide you with a configuration file and a picture of the architecture schema.

I want to access Keycloak via nginx and log in to it. I use it as an Identity Management where I have a login with a username and password and a certificate where I check the certificate, that is 2FA. My problem is that when I access the browser through NGINX, I do not get popup to submit my user certificate, but then go to the second step to enter a username and password, but after that, Keycloak tells me I'm missing a certificate.

Something I've tried and worked on is if I add these things to the configuration file, proxy_ssl_certificate and proxy_ssl_certificate_key will pass it on, but only for one user. An example if proxy_ssl_certificate and proxy_ssl_certificate_key are a certificate and a key from the user joncheski and log in to Keycloak with the user joncheski will pass successfully. But if I want to log in with another user, it will not pass, because the certificate and the username are not equal.
I need your help. How to set this up for more users to work.

nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

server_name nginx.poc.com;

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_certificate /etc/nginx/certs/server/SERVER.crt;
ssl_certificate_key /etc/nginx/certs/server/SERVER.key;
ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;

#KEYCLOAK
location '/auth' {
proxy_pass https://keycloak.poc.com:8443/auth;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_http_version 1.1;

}
}
}

Best regards,
Goce Joncheski
Reply Quote
Attachments:
open | download - nginx.conf (2.3 KB)
open | download - shema.jpg (51.2 KB)
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 286
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready