我将Apache httpd配置为具有SSL的反向代理。我正试图在代理服务器后面使用http来配置密钥斗篷和鳄梨酱。我使用的是keycloft、mysql、guacd和guacamole容器。我让整个流程一直工作,直到keyclock试图重定向回鳄梨酱页面。FYI。。。我的配置与下面的问题非常相似,但下面显示了一个不同的访问错误:如何配置Keycapture以使用Guacamole';s的OpenID插件?
因此,用户通过以下方式访问Web服务器:https://example.com/guacamole/.Httpd重定向到http://guacamole:8080/guacamole.Guacamole重定向到密钥斗篷进行身份验证。以有效用户身份登录,重定向到鳄梨酱失败。
我的鳄梨酱配置为:
openid-jwks-endpoint: https://example.com/auth/realms/Guacamole-test/protocol/openid-connect/certs
openid-issuer: https://example.com/auth/realms/Guacamole-test
openid-client-id: Guacamole
openid-redirect-uri: https://example.com/guacamole/
我的httpd配置:
ServerName example.com
SSLEngine On
SSLCertificateFile /opt/test.crt
SSLCertificateKeyFile /opt/test.key
ProxyPass /guacamole/ http://guacamole:8080/guacamole/ flushpackets=on
ProxyPassReverse /guacamole/ http://guacamole:8080/guacamole/
ProxyPass /guacamole/websocket-tunnel ws://guacamole:8080/guacamole/websocket-tunnel
ProxyPassReverse /guacamole/websocket-tunnel ws://guacamole:8080/guacamole/websocket-tunnel
ProxyPass /auth/ http://keycloak:8080/auth/
ProxyPassReverse /auth/ http://keycloak:8080/auth/
</VirtualHost>
我在鳄梨酱中出现以下错误:
INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "bSv9K9W2us7SaUamJP3bWD1HWJuo6hbne2t3Gsc6V44"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while obtaining or using keys from JWKS endpoint at https://example.com/auth/realms/ocprealm/protocol/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "bSv9K9W2us7SaUamJP3bWD1HWJuo6hbne2t3Gsc6V44"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiU3Y5SzlXMnVzN1NhVWFtSlAzYldEMUhXSnVvNmhibmUydDNHc2M2VjQ0In0.eyJleHAiOjE2MDc5MDE3NDAsImlhdCI6MTYwNzkwMDg0MCwiYXV0aF90aW1lIjoxNjA3OTAwODI1LCJqdGkiOiJhYmI1MDY5Zi01MTYzLTQ2ZjUtODA2ZC05M2ZkODU2YmQxMzciLCJpc3MiOiJodHRwczovL3Vzd2Rzcy5wcm9nZW55Lm5ldC9hdXRoL3JlYWxtcy9vY3ByZWFsbSIsImF1ZCI6Ikd1YWNhbW9sZSIsInN1YiI6IjE4MDRjOWJiLTZiOTEtNDY0YS04N2I1LWQ4MDNiY2Y3YWZmNCIsInR5cCI6IklEIiwiYXpwIjoiR3VhY2Ftb2xlIiwibm9uY2UiOiJoazc5NmlmZHUwdmdvcjJxcnZidDNqZmowcCIsInNlc3Npb25fc3RhdGUiOiJiZWNjZTZmOS01MDQ2LTQzMWEtOTQzNy1hMDczYTRhNDZhNGIiLCJhY3IiOiIwIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiR3V5IFNoZXBoZXJkIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZ3NoZXBoZXJkIiwiZ2l2ZW5fbmFtZSI6Ikd1eSIsImZhbWlseV9uYW1lIjoiU2hlcGhlcmQiLCJlbWFpbCI6ImdzaGVwaGVyZEBwcm9nZW55Lm5ldCJ9.Fm2Vfep4N611KwSJc6MvhH80C3wca_T2If1YSVhzZdeC2eVh-v0_OCnEshcl_huta4a2VqolraqmqMDaxalAdnHO4jes71a2ndDfwoCnp1B06EBPL8kNnQeIHNM3fYps2GuhBqWLmfDDSIvXPlcnctrPKop8PQDglHSsiJOGgWgzfrQbG1zFlw0jupJVaYGY6P8q3Lji5ryIcStNATcuf1dCvF_v1oqoacYsRNFljyg7Xf0ZQIuA53xY3czKkiVVqZt55LArjAv1cPmrekkf77NlGpFzPbyw29_yItAy1rPqxfYphYDCm55qM97agjIE7WsKKC5lHwZ6gCWoMIcrMw
我不明白为什么它试图在最终重定向时使用SSL验证。我相信在密钥斗篷验证登录并尝试重定向回https://example.com/guacamole/httpd配置应该将其代理到http://guacamole:8080/guacamole.我还尝试过根据keycloft文档使用tls.key和tls.crt配置keycloft,看看它是否有什么不同,但没有。任何帮助都将不胜感激,因为我显然缺少或不了解配置中的某些内容。
您正在使用OIDC,因此当Guacamole收到JWT密钥时,它正在尝试验证令牌的签名。要做到这一点,它必须(通过https(联系key斗篷来检索用于签名令牌的公钥。这是由于SSL握手错误而失败的。Guacamole的JVM可能不信任SSL证书,因此需要将其导入JVM密钥库。
我不认为这与您的问题有关,但当在代理后面运行这样的Keycloft时,需要设置一些属性。我在Docker中运行Keycloft,您可以使用环境变量来完成它。这两个设置相当关键:
KEYCLOAK_FRONTEND_URL="https://hostname/auth/"
PROXY_ADDRESS_FORWARDING="true"
如果你没有使用Docker版本,你可以很容易地将这些值转换为Keycloft,当它从这里开始时:https://github.com/keycloak/keycloak-containers/blob/11.0.3/server/tools/docker-entrypoint.sh