I’ve been asked to use AWS Cloudfront in front of Keycloak.
The setup is:
Cloudfront -> ALB -> ECS Fargate (2x keycloak)
I’ve setup Cloudfront to forward the host
header, and not cache for /auth/admin*
and /auth/realms/*
.
I’m doing some debugging on the request headers that make it to Keycloak.
- when hitting the ALB directly:
{
"Host": [
"host.foo.bar"
],
"X-Forwarded-For": [
"82.64.214.156"
],
"X-Amzn-Trace-Id": [
"Root=1-61b9eba3-68d9df4826fd20125b7f07c3"
],
"user-agent": [
"curl/7.77.0"
],
"accept": [
"*/*"
],
"X-Forwarded-Port": [
"443"
],
"X-Forwarded-Proto": [
"https"
]
}
- when hitting the cloudfront distribution:
{
"X-Forwarded-Proto": [
"https"
],
"Via": [
"2.0 b59465a36dda3b4ec573f7a87861306c.cloudfront.net (CloudFront)"
],
"X-Amz-Cf-Id": [
"-1XMfUKyaV6iqnCj20jHappmkwSHxy1bOH7hDBhq3X5wRjSqf2yH5A=="
],
"X-Forwarded-For": [
"2a01:e0a:36c:e260:6874:8d9a:412a:675b, 64.252.114.52"
],
"Host": [
"xxxxxxxxxx.cloudfront.net"
],
"X-Forwarded-Port": [
"443"
],
"User-Agent": [
"Amazon CloudFront"
],
"X-Amzn-Trace-Id": [
"Root=1-61b9ebbd-7fc5826510ad113f0f27eeb3"
]
}
When I use the ALB endpoint, I have no problems. But when I use the Cloudfront endpoint, I get an invalid request error (with nothing else in the logs):
[2021-12-15T14:24:53+01:00] (web/web/23d049a4c0a846c28c367fbd448be3fe) 13:24:53,463 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=2a01:e0a:36c:e260:6874:8d9a:412a:675b, error=invalid_request
Any ideas what I’m missing? Is there another header that needs to be forwarded?