Quantcast
Channel: Nginx Forum - How to...
Viewing all articles
Browse latest Browse all 4759

Reverse proxy from NGINX to Keycloak with 2FA

$
0
0
Hello all,

I have a problem with NGINX. In addition, I will provide you with a configuration file and a picture of the architecture schema.

I want to access Keycloak via nginx and log in to it. I use it as an Identity Management where I have a login with a username and password and a certificate where I check the certificate, that is 2FA. My problem is that when I access the browser through NGINX, I do not get popup to submit my user certificate, but then go to the second step to enter a username and password, but after that, Keycloak tells me I'm missing a certificate.

Something I've tried and worked on is if I add these things to the configuration file, proxy_ssl_certificate and proxy_ssl_certificate_key will pass it on, but only for one user. An example if proxy_ssl_certificate and proxy_ssl_certificate_key are a certificate and a key from the user joncheski and log in to Keycloak with the user joncheski will pass successfully. But if I want to log in with another user, it will not pass, because the certificate and the username are not equal.
I need your help. How to set this up for more users to work.

nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

server_name nginx.poc.com;

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_certificate /etc/nginx/certs/server/SERVER.crt;
ssl_certificate_key /etc/nginx/certs/server/SERVER.key;
ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;

#KEYCLOAK
location '/auth' {
proxy_pass https://keycloak.poc.com:8443/auth;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_http_version 1.1;

}
}
}

Best regards,
Goce Joncheski

Viewing all articles
Browse latest Browse all 4759

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>