keycloak and guacamole configuration behind httpd reverse proxy configuration

Question

I have Apache httpd configured as a reverse proxy with SSL. I'm trying to configure keycloak and guacamole using http behind the proxy. I'm using the keycloak, mysql, guacd and guacamole containers. I have the entire flow working until keycloak attempts to redirect back to the guacamole page. FYI...my configuration is very similar to the following question, but with a different access error shown below: How to configure Keycloak to work with Guacamole's OpenID plugin?

So, user hits webserver via: https://example.com/guacamole/. Httpd redirects to http://guacamole:8080/guacamole. Guacamole redirects to keycloak for authentication. Login as valid user and the redirect to guacamole fails.

My guacamole is configured as:

openid-jwks-endpoint: https://example.com/auth/realms/Guacamole-test/protocol/openid-connect/certs
openid-issuer: https://example.com/auth/realms/Guacamole-test
openid-client-id: Guacamole
openid-redirect-uri: https://example.com/guacamole/

My httpd configuration:

   ServerName example.com

   SSLEngine On
   SSLCertificateFile      /opt/test.crt
   SSLCertificateKeyFile   /opt/test.key

  ProxyPass /guacamole/ http://guacamole:8080/guacamole/ flushpackets=on
  ProxyPassReverse /guacamole/ http://guacamole:8080/guacamole/

  ProxyPass /guacamole/websocket-tunnel ws://guacamole:8080/guacamole/websocket-tunnel
  ProxyPassReverse /guacamole/websocket-tunnel ws://guacamole:8080/guacamole/websocket-tunnel

  ProxyPass /auth/ http://keycloak:8080/auth/
  ProxyPassReverse /auth/ http://keycloak:8080/auth/

</VirtualHost>

I'm getting following error in guacamole:

INFO  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "bSv9K9W2us7SaUamJP3bWD1HWJuo6hbne2t3Gsc6V44"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while obtaining or using keys from JWKS endpoint at https://example.com/auth/realms/ocprealm/protocol/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "bSv9K9W2us7SaUamJP3bWD1HWJuo6hbne2t3Gsc6V44"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiU3Y5SzlXMnVzN1NhVWFtSlAzYldEMUhXSnVvNmhibmUydDNHc2M2VjQ0In0.eyJleHAiOjE2MDc5MDE3NDAsImlhdCI6MTYwNzkwMDg0MCwiYXV0aF90aW1lIjoxNjA3OTAwODI1LCJqdGkiOiJhYmI1MDY5Zi01MTYzLTQ2ZjUtODA2ZC05M2ZkODU2YmQxMzciLCJpc3MiOiJodHRwczovL3Vzd2Rzcy5wcm9nZW55Lm5ldC9hdXRoL3JlYWxtcy9vY3ByZWFsbSIsImF1ZCI6Ikd1YWNhbW9sZSIsInN1YiI6IjE4MDRjOWJiLTZiOTEtNDY0YS04N2I1LWQ4MDNiY2Y3YWZmNCIsInR5cCI6IklEIiwiYXpwIjoiR3VhY2Ftb2xlIiwibm9uY2UiOiJoazc5NmlmZHUwdmdvcjJxcnZidDNqZmowcCIsInNlc3Npb25fc3RhdGUiOiJiZWNjZTZmOS01MDQ2LTQzMWEtOTQzNy1hMDczYTRhNDZhNGIiLCJhY3IiOiIwIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiR3V5IFNoZXBoZXJkIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZ3NoZXBoZXJkIiwiZ2l2ZW5fbmFtZSI6Ikd1eSIsImZhbWlseV9uYW1lIjoiU2hlcGhlcmQiLCJlbWFpbCI6ImdzaGVwaGVyZEBwcm9nZW55Lm5ldCJ9.Fm2Vfep4N611KwSJc6MvhH80C3wca_T2If1YSVhzZdeC2eVh-v0_OCnEshcl_huta4a2VqolraqmqMDaxalAdnHO4jes71a2ndDfwoCnp1B06EBPL8kNnQeIHNM3fYps2GuhBqWLmfDDSIvXPlcnctrPKop8PQDglHSsiJOGgWgzfrQbG1zFlw0jupJVaYGY6P8q3Lji5ryIcStNATcuf1dCvF_v1oqoacYsRNFljyg7Xf0ZQIuA53xY3czKkiVVqZt55LArjAv1cPmrekkf77NlGpFzPbyw29_yItAy1rPqxfYphYDCm55qM97agjIE7WsKKC5lHwZ6gCWoMIcrMw

I don't understand why it is attempting to use SSL validation on the final redirect. I believe after keycloak validates the login and attempts to redirect back to https://example.com/guacamole/ the httpd configuration should proxy this to http://guacamole:8080/guacamole. I've also tried configuring keycloak with the tls.key and tls.crt according to the keycloak documentation to see if it made any difference but it does not. Any help would be greatly appreciated as I am obviously missing or not understanding something in the configuration.

It looks like your `tls.crt` (or `/opt/test.crt`) is incorrect. How did you generate it? (blind guess Let's Encrypt?). Could you provide real URL, instead of generic `https://example.com/` for cert path verification, pls? — Jan Garaj, Dec 18 '20 at 15:31
Guacamole by default will only log messages at the "info" level or higher. You may configure guacamole to log "debug" message to look for more info. This requires a `logback.xml` file placing at `GUACAMOLE_HOME`. You may find the details here: https://guacamole.apache.org/doc/1.2.0/gug/configuring-guacamole.html#webapp-logging — Song Lim, Dec 22 '20 at 01:42
Is it that you have forgot to provide a value for `openid-authorization-endpoint` in your guacamole configuration file ? it seems to be required in `openid` extension. Reference: https://guacamole.apache.org/doc/gug/openid-auth.html — Song Lim, Dec 22 '20 at 01:57

score -1 · Accepted Answer · answered Dec 18 '20 at 16:08

-1

You are using OIDC, so when Guacamole receives the JWT key it is trying to validate the signature of the token. To do that, it has to contact Keycloak (via https) to retrieve the public key used to sign the token. This is failing with a SSL handshake error. Probably the JVM for Guacamole does not trust the SSL cert so you need to import it to the JVM keystore.

I do not think it is related to your problem, but when running Keycloak like this behind a proxy there are some attributes you need to set. I run Keycloak in Docker and you do it with environment variables. These two are fairly critical to set:

KEYCLOAK_FRONTEND_URL="https://hostname/auth/"
PROXY_ADDRESS_FORWARDING="true"

If you are not using the Docker version you can pretty easily translate how these values are communicated to Keycloak when it starts here: https://github.com/keycloak/keycloak-containers/blob/11.0.3/server/tools/docker-entrypoint.sh

answered Dec 18 '20 at 16:08

Mark Phippard

10,329
2
32
42

Thanks. I'll take a look at importing the key in the guacamole container. Was out on Xmas break for a while. I set the frontend url in the realm settings once the container was running and I do have the proxy forwarding set to true. – gshepherd7 Dec 28 '20 at 12:53
I'm using a valid CA signed cert now and I tried loading the cert and key into keycloak, which I had to do manually in the container as the key requires a passphrase to decrypt and I didn't see anywhere in the documentation on how to provide that so keycloak was unable to load them at container startup. After that I created a java-keystore for my realm in the keys section of the keycloak UI. Once authentication happens the redirect back to guacamole fails but now with the error Unable to find a suitable verification key....No subject alternative DNS name matching proxy.xxxxx.net. Any ideas? – gshepherd7 Dec 30 '20 at 19:54
Thanks....As you said I needed to load the cert into the guacamole container. Also, realized we were using a wildcard entry for our CERT SAN so needed to update the cert SAN to be the full domain name and things started working. – gshepherd7 Jan 06 '21 at 15:48
Glad you got it working. Thanks for following up. – Mark Phippard Jan 06 '21 at 17:59

keycloak and guacamole configuration behind httpd reverse proxy configuration

1 Answers1