Hello,
my setup is like this.
shinyproxy runs in a docker container with name shiny-proxy.
apache httpd reverse proxy runs before shinyproxy and convert it to https and runs on the host with port 2443
keycloak is also runs in docker container but the port is open on the host with 8443.
setup, application.xml
keycloak:
realm: shiny
auth-server-url: https://keycloak:8443/auth
#ssl-required: none
ssl-required: external
confidential-port: 2443
verify-token-audience: true
resource: shiny-proxy-p1
credentials-secret: xxxxxxxxxxxx
apache reverse proxy configuration
<VirtualHost *:2443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server-cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/server-cert.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /etc/apache2/ssl/server-ca.crt
<Proxy *>
Allow from *
</Proxy>
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://shiny-proxy:8080/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://shiny-proxy:8080/$1 [P,L]
ProxyPass / http://shiny-proxy:8080/
ProxyPassReverse / http://shiny-proxy:8080/
ProxyRequests Off
ErrorLog ${APACHE_LOG_DIR}/proxy_error.log
CustomLog ${APACHE_LOG_DIR}/proxy_access.log combined
</VirtualHost>
Let's say when access shinyprox via apache with URL https://lxsqlpocnd04:2443/
it will redirect to login page and the login page redirect request to Keycloak host lxsqlpocnd04 and port 8443. in that URL there is query string which includes redirect_uri but it is not the one expected.
the URL is like this
https://lxsqlpocnd04:8443/auth/realms/shiny/protocol/openid-connect/auth?response_type=code&client_id=shiny-proxy-p1&redirect_uri=http%3A%2F%2Fshiny-proxy%3A8080%2Fsso%2Flogin&state=00f5e087-e6a9-4768-8cf8-39d77500fea3&login=true&scope=openid
And the redirect_uri is http://shiny-proxy:8080/sso/login other than https://lxsqlpocnd04:2443/sso/login
could someone help ?
Thanks,
Robin
Did you set this in application.yml?
server:
useForwardHeaders: true
From here: https://www.shinyproxy.io/security/#https-ssl-tls
Not sure what the Apache equivalent is but in nginx this is probably what fixes your issue:
proxy_set_header Host $http_host;
@aiham Thanks.
I have it working. It is because of missing useForwardHeaders: true
im using useForwardHeaders: true but still having the issue
@danielfm123
im using useForwardHeaders: true but still having the issue
There is another possibility related to SSL certs. If your certs installed on Keycloak is not public trusted(the root and intermediate CA is not in the default trust list from Java), you need to add them in the JRE default trusted CA. The JRE is the one that runs your Shinyproxy.
the default location is JAVA_HOME---> JRE -->lib---> security--> cacerts JAVA_HOME---> JRE -->lib---> security--> cacerts
commands to import like this.
keytool -import -noprompt -alias -your-root -file /opt/jboss/your-root.crt -keystore /etc/pki/java/cacerts -storepass changeit
I did it, it doesnt work, i tried shinyproxy 2.3.1 instead of 2.4.1 and it send's the correct redirect_uri, but only works in some browsers, in the rest I get err_too_many_redirects
Is your certs public trusted? I ran into this during the testing phase the certs are not public trusted. You need to import the Root CA and Intermediate CA to Browser trusted store. Each browser is different, depends on your OS and Browser. In my case, I am using Windows, after I import Certs to the trusted zone and Both IE and Chrome work fine after that.
Here is my suggestion,
It is validated with certbot.... I managed to make it work with shinyproxy 2.3.1 and a different active directory account...
But there is a bug on shinyproxy 2.4.1 and 2.4.0
Hi @danielfm123 , I checked a few things here, and I cannot reproduce any problems with redirect_uri in ShinyProxy 2.4.0/1.
Can you open a new issue with the following information? That way I can look into it and see whether there is a bug.
I have the same issue.
Setup with keycloak, apache2 reverse proxy and shinyproxy 2.3.1 works fine. I run shinyproxy via Docker. Shinyproxy correctly redirects to https://testauth.example.com.
When I switch to shinyproxy 2.4.1 the redirect_uri contains the internal IP (http://192.168.51.27:8082) instead of the address that is accesible from outside and I get an error : "Invalid parameter: redirect_uri".
This is the relevant part of my application.yml:
proxy:
title: AUTHTEST
hide-navbar: false
template-path: /templates
favicon-path: /www/favicon.png
heartbeat-rate: 10000
heartbeat-timeout: 600000
port: 8080
admin-groups: admin
container-wait-time: 30000
authentication: keycloak
keycloak:
realm: shinyr
auth-server-url: http://192.168.51.122:8080/auth
resource: shinyr
credentials-secret: <secret>
docker:
internal-networking: true
specs:
- id: test
display-name: Euler App
description: Test App
container-cmd: ["R", "-e", "shiny::runApp('/root/euler')"]
container-image: saletelligence/test
container-network: authtest_authtest_net
access-groups: [admin, pm]
logging:
file:
shinyproxy.log
server:
useForwardHeaders: true
This is the apache config:
<VirtualHost *:443>
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ServerName testauth.example.com
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://192.168.51.27:8082/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://192.168.51.27:8082/$1 [P,L]
ProxyRequests Off
ProxyPass "/" "http://192.168.51.27:8082/"
ProxyPassReverse "/" "http://192.168.51.27:8082/"
SSLProxyEngine On
SSLEngine On
SSLCertificateFile /etc/apache2/sslcert/example.crt
SSLCertificateKeyFile /etc/apache2/sslcert/example_pem.key
SSLCACertificateFile /etc/apache2/sslcert/example_bundle.pem
</VirtualHost>
Hi @eastclintw00d
Please try to use:
server:
forward-headers-strategy: "native"
Instead of
server:
useForwardHeaders: true
Thanks!
Hi @LEDfan
That solved the problem.
Thank you for the quick response!
That works but it kills the package DT
@danielfm123 Are you sure you are running shinyproxy 2.4.1? DT is working fine for me.
@danielfm123 @eastclintw00d POST requests (as made e.g. by DT) don't work when using OIDC with current ShinyProxy (2.4.1). A fix by @LEDfan will be part of an upcoming release, but this is not the topic of this thread.
The issue with POST request is now fixed in the 2.4.2 release
Documentation relating to the original issue is updated.
I'll lock this issue, so that the issues stay maintainable for us.
Of course, as always don't hesitate to open a new issue if you encounter any problem!