Setup (simple) Problem

1

Same server setup
Wildly
Keycloak
added niginx setup (maybe wrong) + certbot.

Is this a firewall problem?

To Action From

80/tcp ALLOW Anywhere # accept HTTP Nginx
443/tcp ALLOW Anywhere # accept HTTPS/TLS Nginx connections
22/tcp ALLOW Anywhere
Nginx Full ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6) # accept HTTP Nginx
443/tcp (v6) ALLOW Anywhere (v6) # accept HTTPS/TLS Nginx connections
22/tcp (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)

(Not sure what Nginx Full is… I was adding stuff out of separation)

tonyh@darkmatter:/etc/nginx/sites-available$ sudo lsof -i -P -n | grep LISTEN
systemd-r 693 systemd-resolve 13u IPv4 20846 0t0 TCP 127.0.0.53:53 (LISTEN)
sshd 757 root 3u IPv4 23268 0t0 TCP *:22 (LISTEN)
sshd 757 root 4u IPv6 23279 0t0 TCP *:22 (LISTEN)
nginx 763 root 6u IPv4 23294 0t0 TCP *:80 (LISTEN)
nginx 763 root 7u IPv6 23295 0t0 TCP *:80 (LISTEN)
nginx 763 root 8u IPv6 23296 0t0 TCP *:443 (LISTEN)
nginx 763 root 9u IPv4 23297 0t0 TCP *:443 (LISTEN)
nginx 767 www-data 6u IPv4 23294 0t0 TCP *:80 (LISTEN)
nginx 767 www-data 7u IPv6 23295 0t0 TCP *:80 (LISTEN)
nginx 767 www-data 8u IPv6 23296 0t0 TCP *:443 (LISTEN)
nginx 767 www-data 9u IPv4 23297 0t0 TCP *:443 (LISTEN)
postgres 906 postgres 3u IPv4 24034 0t0 TCP 127.0.0.1:5432 (LISTEN)
java 1030 apps 497u IPv4 25533 0t0 TCP *:8080 (LISTEN)
java 1030 apps 501u IPv4 25544 0t0 TCP 127.0.0.1:9990 (LISTEN)
java 1030 apps 504u IPv4 25545 0t0 TCP *:8443 (LISTEN)
java 1031 apps 375u IPv4 25521 0t0 TCP 127.0.0.1:10090 (LISTEN)
java 1031 apps 408u IPv4 25518 0t0 TCP *:8180 (LISTEN)
java 1031 apps 421u IPv4 25522 0t0 TCP *:8543 (LISTEN)
sshd 1614 tonyh 10u IPv6 28364 0t0 TCP [::1]:6010 (LISTEN)
sshd 1614 tonyh 11u IPv4 28365 0t0 TCP 127.0.0.1:6010 (LISTEN)

Times out

  1. Request URL:

https://risingstars.co.nz:8180/auth/realms/Atlas/protocol/openid-connect/auth?response_type=code&client_id=atlas&redirect_uri=http%3A%2F%2Fwww.risingstars.co.nz%2Fatlas%2F&state=a4574e4a-fcf2-45aa-894f-0ca3e69223ba&login=true&scope=openid

tonyh@darkmatter:/etc/nginx/sites-enabled$ more risingstars.co.nz

server {

        #root /var/www/risingstars.co.nz/html;
        index index.html index.htm index.nginx-debian.html;

        server_name risingstars.co.nz www.risingstars.co.nz;

        location / {
                try_files $uri $uri/ =404;
        }

       location /atlas/ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://127.0.0.1:8080/atlas/;
            client_max_body_size 10M;
        }


        location /auth/ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://127.0.0.1:8180/auth/;
            client_max_body_size 10M;
        }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/risingstars.co.nz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/risingstars.co.nz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = www.risingstars.co.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = risingstars.co.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;

        server_name risingstars.co.nz www.risingstars.co.nz;
    return 404; # managed by Certbot
}

Wildfly standalone.xml Config Section

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
            <secure-deployment name="atlas.war">
              <realm>Atlas</realm>
              <auth-server-url>http://risingstars.co.nz:8180/auth/</auth-server-url>
              <public-client>true</public-client>
              <ssl-required>EXTERNAL</ssl-required>
              <resource>atlas</resource>
              <verify-token-audience>true</verify-token-audience>
              <use-resource-role-mappings>true</use-resource-role-mappings>
          </secure-deployment>
        </subsystem>

Web.xml setting

<security-constraint>
    <web-resource-collection>
        <web-resource-name>atlas</web-resource-name>
        <url-pattern>/pages/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
atlas /pages/order.jsf /pages/users.jsf manager 
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
2

by hacking the timeout URL to
https://risingstars.co.nz/auth/realms/Atlas/protocol/openid-connect/auth?response_type=code&client_id=atlas&redirect_uri=http%3A%2F%2Frisingstars.co.nz%2Fatlas%2F&state=5d0c20b2-d7f0-433e-a4ad-d4a37f003d74&login=true&scope=openid

I get (from keycloak):
2020-11-14 11:29:59,131 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=Atlas, clientId=atlas, userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri, redirect_uri=http://risingstars.co.nz/atlas/

3

realm
realm1016×1003 106 KB

4

Fron NGINX:

2020/11/14 11:22:53 [error] 766#766: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 163.47.230.182, server: risingstars.co.nz, request: “GET /atlas/ HTTP/1.1”, upstream: “http://127.0.0.1:8080/atlas/”, host: “risingstars.co.nz”