Same server setup
Wildly
Keycloak
added niginx setup (maybe wrong) + certbot.
Is this a firewall problem?
To Action From
80/tcp ALLOW Anywhere # accept HTTP Nginx
443/tcp ALLOW Anywhere # accept HTTPS/TLS Nginx connections
22/tcp ALLOW Anywhere
Nginx Full ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6) # accept HTTP Nginx
443/tcp (v6) ALLOW Anywhere (v6) # accept HTTPS/TLS Nginx connections
22/tcp (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
(Not sure what Nginx Full is… I was adding stuff out of separation)
tonyh@darkmatter:/etc/nginx/sites-available$ sudo lsof -i -P -n | grep LISTEN
systemd-r 693 systemd-resolve 13u IPv4 20846 0t0 TCP 127.0.0.53:53 (LISTEN)
sshd 757 root 3u IPv4 23268 0t0 TCP *:22 (LISTEN)
sshd 757 root 4u IPv6 23279 0t0 TCP *:22 (LISTEN)
nginx 763 root 6u IPv4 23294 0t0 TCP *:80 (LISTEN)
nginx 763 root 7u IPv6 23295 0t0 TCP *:80 (LISTEN)
nginx 763 root 8u IPv6 23296 0t0 TCP *:443 (LISTEN)
nginx 763 root 9u IPv4 23297 0t0 TCP *:443 (LISTEN)
nginx 767 www-data 6u IPv4 23294 0t0 TCP *:80 (LISTEN)
nginx 767 www-data 7u IPv6 23295 0t0 TCP *:80 (LISTEN)
nginx 767 www-data 8u IPv6 23296 0t0 TCP *:443 (LISTEN)
nginx 767 www-data 9u IPv4 23297 0t0 TCP *:443 (LISTEN)
postgres 906 postgres 3u IPv4 24034 0t0 TCP 127.0.0.1:5432 (LISTEN)
java 1030 apps 497u IPv4 25533 0t0 TCP *:8080 (LISTEN)
java 1030 apps 501u IPv4 25544 0t0 TCP 127.0.0.1:9990 (LISTEN)
java 1030 apps 504u IPv4 25545 0t0 TCP *:8443 (LISTEN)
java 1031 apps 375u IPv4 25521 0t0 TCP 127.0.0.1:10090 (LISTEN)
java 1031 apps 408u IPv4 25518 0t0 TCP *:8180 (LISTEN)
java 1031 apps 421u IPv4 25522 0t0 TCP *:8543 (LISTEN)
sshd 1614 tonyh 10u IPv6 28364 0t0 TCP [::1]:6010 (LISTEN)
sshd 1614 tonyh 11u IPv4 28365 0t0 TCP 127.0.0.1:6010 (LISTEN)
Times out
- Request URL:
tonyh@darkmatter:/etc/nginx/sites-enabled$ more risingstars.co.nz
server { #root /var/www/risingstars.co.nz/html; index index.html index.htm index.nginx-debian.html; server_name risingstars.co.nz www.risingstars.co.nz; location / { try_files $uri $uri/ =404; } location /atlas/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:8080/atlas/; client_max_body_size 10M; } location /auth/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:8180/auth/; client_max_body_size 10M; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/risingstars.co.nz/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/risingstars.co.nz/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = www.risingstars.co.nz) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = risingstars.co.nz) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name risingstars.co.nz www.risingstars.co.nz; return 404; # managed by Certbot }
Wildfly standalone.xml Config Section
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="atlas.war"> <realm>Atlas</realm> <auth-server-url>http://risingstars.co.nz:8180/auth/</auth-server-url> <public-client>true</public-client> <ssl-required>EXTERNAL</ssl-required> <resource>atlas</resource> <verify-token-audience>true</verify-token-audience> <use-resource-role-mappings>true</use-resource-role-mappings> </secure-deployment> </subsystem>
Web.xml setting
atlas /pages/order.jsf /pages/users.jsf manager<security-constraint> <web-resource-collection> <web-resource-name>atlas</web-resource-name> <url-pattern>/pages/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>
<login-config> <auth-method>BASIC</auth-method> </login-config>