我正在尝试使用keycloak代理设置auth_request,但它不起作用(Nginx返回500状态代码(。
这是我的例子:
nginx.conf
upstream target_host {
server prometheus:9090;
}
upstream oauth_host {
server keycloak-proxy:8181;
}
server {
listen 80;
server_name myexample.com;
location = /oauth2/ {
proxy_pass http://oauth_host/oauth2/;
proxy_redirect default;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location / {
auth_request /oauth2/;
proxy_pass http://target_host/;
}
}
proxy.json
{
"target-url": "http://myexample.com/",
"target-request-timeout": "60000",
"send-access-token": true,
"bind-address": "0.0.0.0",
"http-port": "8181",
"applications": [
{
"base-path": "/oauth2/",
"proxy-address-forwarding": true,
"adapter-config": {
"realm": "test",
"disable-trust-manager": true,
"resource": "account",
"auth-server-url": "https://keycloak:8443/auth",
"ssl-required" : "external",
"credentials": {
"secret": "75ddbbd9-e98c-437e-9815-a8b66e9e58ec"
}
}
,
"constraints": [
{
"pattern": "/*",
"roles-allowed": [
"custom_role"
]
}
]
}
]
}
Nginx 日志:
172.19.0.1 - - [03/Sep/2018:14:50:14 +0200] "GET / HTTP/1.1" 500 193 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" "-"
172.19.0.1 - - [03/Sep/2018:14:50:14 +0200] "GET / HTTP/1.1" 500 193 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" "-"
2018/09/03 14:50:14 [error] 8#8: *21 auth request unexpected status: 302 while sending to client, client: 172.19.0.1, server: myexample.com, request: "GET / HTTP/1.1", host: "myexample.com"
2018/09/03 14:50:14 [error] 8#8: *23 auth request unexpected status: 302 while sending to client, client: 172.19.0.1, server: myexample.com, request: "GET / HTTP/1.1", host: "myexample.com"
- http://keycloak-proxy:8181 -> 密钥斗篷代理
- https://keycloak:443 ->钥匙斗篷
- http://prometheus:9090 -> 普罗米修斯
- http://myexample.com -> 恩金克斯
我想知道如何正确设置auth_request。 谁能帮忙?
谢谢
您对oAuth2服务的请求正在使用302HTTP代码重定向,也许如果您遵循重定向,它会为您提供所需的响应。
location = /oauth2/ {
# Other stuff..
# You may need to comment out this:
# proxy_redirect default;
# Then, add this:
proxy_intercept_errors on;
error_page 302 = @handle_redirect;
}
location @handle_redirect {
set $saved_redirect_location '$upstream_http_location';
proxy_pass $saved_redirect_location;
}