从NGINX到Keycloak以2FA反向代理

时间:2018-04-23 11:56:57

标签: nginx keycloak nginx-reverse-proxy keycloak-services

我有NGINX的问题。另外,我将为您提供配置文件和架构架构的图片(https://ibb.co/niZCRx)。

我想通过nginx访问Keycloak并登录到它。我将它用作身份管理,我在其中登录了用户名和密码以及我检查证书的证书,即2FA。我的问题是,当我通过NGINX访问浏览器时,我没有弹出提交我的用户证书,但是然后转到第二步输入用户名和密码,但之后,Keycloak告诉我,我失踪了证书。

我尝试过的事情是,如果我将这些东西添加到配置文件中,proxy_ssl_certificate和proxy_ssl_certificate_key将传递它,但仅限于一个用户。例如,proxy_ssl_certificate和proxy_ssl_certificate_key是一个证书,来自用户joncheski的密钥并使用用户joncheski登录Keycloak将成功通过。但是,如果我想与其他用户登录,则不会通过,因为证书和用户名不相等。 我需要你的帮助。如何设置它以便更多用户工作。

nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024; 
}


http {


log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

server {

listen       443 ssl;
server_name  #SET NAME OF SERVER#;

#HTTPS-and-mTLS
proxy_ssl_verify        on;
proxy_ssl_verify_depth  2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate #PATH OF PUBLIC CA CERTIFICATE#;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_certificate #PATH OF PUBLIC CERTIFICATE FROM SDP GATEWAY#;
ssl_certificate_key #PATH OF PRIVATE KEY FROM SDP GATEWAY#;
ssl_trusted_certificate #PATH OF PUBLIC CA CERTIFICATE#;
ssl_client_certificate #PATH OF PUBLIC CA CERTIFICATE#;
ssl_verify_client off;
ssl_session_tickets on;
ssl_session_cache   shared:SSL:40m;
ssl_session_timeout 4h;


location '/auth' {
        proxy_pass #SET HOST TO IDENTITY MANAGEMENT#;
        proxy_set_header X-Real-IP $remote_addr;              proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_http_version 1.1;

}

    location '/' {
        proxy_pass #SET HOST TO REDIRECT GUI REQUEST#;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;

}

} }

祝你好运, Goce Joncheski

0 个答案:

没有答案
相关问题
最新问题