我有一个示例应用程序,可以在没有nginx的情况下在本地正确保护其余的api。现在,当我把它放在nginx代理后面的生产中时,它不起作用。没有错误。它允许所有请求。
使用ssl的前端服务器是https://frontend.com
ssl的后端服务器是https://backend.com
Keycloak代理转发是真的
前端服务器(9000上的节点服务器)< - > NGINX< - > Keycloak(运行于8180)
nginx文件样本
upstream keycloak_server {
server localhost:8180;
}
upstream node_server {
server localhost:9000;
}
location /auth/ {
proxy_pass http://keycloak_server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://node_server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
前端服务器使用Angular调用后端api。 REST api调用看起来像https://backend.com/callTest
后端服务器(在tomcat上运行)< - > NGINX< - > Spring Boot(带钥匙扣)
nginx样本
location / {
proxy_pass http://127.0.0.1:8080/dt-1.0/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
看起来像
{
"realm": "demo",
"auth-server-url": "https://frontend.com/auth",
"ssl-required": "none",
"resource": "tutorial-frontend",
"public-client": true
}
在spring boot keycloak属性看起来像
keycloak.auth-server-url=https://frontend.com/auth
keycloak.realm=demo
keycloak.resource=tutorial-frontend
keycloak.public-client=true
keycloak.bearer-only = true
keycloak.cors = true
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*
请告诉我如何更正此问题。我真的很感激。
答案 0 :(得分:0)
三年后,我遇到了同样的问题。也许你已经解决了,但我想还有很多人和我一样遇到过这个问题。我的解决方案是使用 openresty。你会发现很多 openresty 的教程或代码片段。这里就不多说了。
我只是在openresty认证通过后把access_token放在请求头中,就像这样
local opts = {
redirect_uri_path = "/redirect_uri",
discovery = "https://a.b.c.d:8093/auth/realms/xxx/.well-known/openid-configuration",
client_id = "client_id",
client_secret = "client_secret",
redirect_uri_scheme = "https",
logout_path = "/logout",
redirect_after_logout_uri = "https://a.b.c.d:8093/auth/realms/xxx/protocol/openid-connect/logout?redirect_uri=https://a.b.c.d:8093/",
scope = "openid email",
access_token_expires_leeway = 0,
accept_none_alg = false,
accept_unsupported_alg = false,
renew_access_token_on_expiry = true,
session_contents = {access_token=true, id_token = true}
}
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.set_header("Authorization", "Bearer " .. res.access_token)
在nginx配置文件中,我是这样做的
location /auth/ {
proxy_pass http://keycloak:8080/auth/;
proxy_set_header Host $host:$server_port;
}
location / {
access_by_lua_block {
require("oidc/acc")()
}
try_files $uri $uri/ /index.html;
index index.html;
}
location /api/ {
access_by_lua_block {
require("oidc/acc")()
}
proxy_set_header Host $host:$server_port;
proxy_pass http://gateway:8881/api/;
}