Hello,
My setup:
Keycloak is running as container in GKE environment, accessible publicly through LB >> Nginx Ingress >> Nginx >> Reverse Proxy to localhost.
Nginx configuration is having various reverse proxy locations for /api, /, /auth, /auth/admin, /saml, etc., with password authentication enabled.
What I want to achieve:
I am trying to restrict keycloak admin context (https://myserver.domain.com/auth/admin/*) to specific IPs only. For example: VPN and static IPs
What I tried:
-
I make changes to Nginx config to allow and deny rule but it didn’t helped me. The result of the change was either not applied at all or blocked all (404 error). The rule was written for many Locations which has xyz/admin location.
-
Reverted all the Nginx config and made change to Ingress controller config by adding Annotations like below which didn’t help.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: keycloak-chart
meta.helm.sh/release-namespace: ingress
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/configuration-snippet: |
location ~* "^/auth/admin" {
deny all;
return 403;
}
nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
nginx.ingress.kubernetes.io/proxy-connect-timeout: "180"
nginx.ingress.kubernetes.io/proxy-read-timeout: "180"
nginx.ingress.kubernetes.io/proxy-send-timeout: "180"
nginx.ingress.kubernetes.io/server-snippet: server_tokens off;
name: keycloak-ingress
namespace: ingress
spec:
ingressClassName: nginx
rules:
- host: auth.example.com
http:
paths:
- backend:
service:
name: keycloak-service
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- auth.example.com
secretName: app-net-tls
By going through various google searches I added one more Ingress Controller (say “keycloak-ingress-blocked”) with config as below -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
nginx.ingress.kubernetes.io/proxy-connect-timeout: "180"
nginx.ingress.kubernetes.io/proxy-read-timeout: "180"
nginx.ingress.kubernetes.io/proxy-send-timeout: "180"
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/server-snippet: server_tokens off;
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 1.2.3.4/32
nginx.ingress.kubernetes.io/configuration-snippet: |
location ~* "^/auth/admin" {
deny all;
return 403;
}
name: keycloak-ingress-block
namespace: ingress
spec:
ingressClassName: nginx
rules:
- host: auth.example.com
http:
paths:
- backend:
service:
name: keycloak-service
port:
number: 80
path: /auth/admin/(.*)
pathType: Prefix
tls:
- hosts:
- auth.example.com
secretName: app-net-tls
which is close to what I am expecting but admin page throws 404 or blank page while accessing this if accessed from whitelisted IP. For other IPs it shows 403 which is expected.
I am not what else need to be done to make it work. Please suggest.