0

I have a cloud load balancer/virtual server/firewall sitting in front of a collection of Quarkus pods that almost acts like a reverse proxy. Traffic comes in through that public entry point and is rerouted to the internal network.

We're using Azure B2C to log into the application and that's working great when you're directly accessing the pod or the internal load balancer.

The issue is that when using the external load balancer, the redirect uri is in the context of the internal network which is not accessible from the public side.

Is there a way to set the redirect uri to our outside server to an absolute uri instead of the relative one? The documentation is clear that it's relative but I didn't see any way to redirect it to a custom uri. Or is this a completely wrong approach when it comes to security? I get that I can try to reconfigure the external load balancer but would like a quick way to set the redirect uri. I know this is possible in other frameworks.

this works:

https://pod1:8080

this works too:

https://internal-load-balancer:8080

this doesn't work:

https://external-load-balancer:8080

(redirect uri is the internal-load-balancer)

Additional information if it helps. We're using the auth code flow and quarkus-oidc automatically sets the redirect url as a relative path. I'm not sure if there is a way to override the redirect uri to our external load balancer instead of internal.

https://quarkus.io/guides/security-openid-connect-web-authentication#quarkus-oidc_quarkus.oidc.authentication.redirect-path

Solved: I had to configure the x-forwarded/reverse proxy to read the original source:

https://quarkus.io/guides/security-openid-connect-web-authentication#external-and-internal-access-to-openid-connect-provider

kevin.conner
  • 11
  • 6
  • Are you sure that the external-load-balancer is accesible with that dns name within the quarkus pods? can you check it with a ping – Javier Toja Sep 16 '21 at 06:31
  • yeah. we're doing an http header redirect to route the external traffic internally. the problem is that the internal application thinks the redirect uri is automatically the internal name (because that's where it's running) and I can't override the redirect uri. Internally, if i call the external url, i'll get redirected to the internal and that works but externally, that internal url isn't accessible. – kevin.conner Sep 16 '21 at 12:40
  • Are you running this inside a kubernetes cluster? – Javier Toja Sep 16 '21 at 12:54
  • 2
    yeah. the "internal network" is a kubernetes cluster. the eternal network is our ingress point. I reached out to the quarkus chat and they pointed me in the right direction. Here is the reverse proxy config: and the message that got me where I needed: – kevin.conner Sep 16 '21 at 13:55

2 Answers2

1

I had to configure the x-forwarded/reverse proxy to read the original source. I added this to the application.properties:

quarkus.http.proxy.proxy-address-forwarding=true
quarkus.http.proxy.allow-forwarded=false
quarkus.http.proxy.enable-forwarded-host=true
quarkus.http.proxy.forwarded-host-header=X-ORIGINAL-HOST

This enables the application to look at the x-forwarded headers, not look at the forwarded header (default is false), enable the x-forwarded-host header, and override the x-forwarded-host property to use a custom header name.

My internal load balancer has a bug where it will overwrite the x-forwarded-host with the internal name regardless if the x-forwarded-host already exists. I also had to configure my external load balancer to add an additional custom header (x-original-host but the name in arbitrary) so my internal load balancer wouldn't override it.

Once Quarkus was configured, the redirect uri used the new custom header to build the redirect uri that pointed to the external load balancer and everything worked as expected.

https://quarkus.io/guides/security-oidc-code-flow-authentication-concept#running-quarkus-application-behind-a-reverse-proxy

Milad
  • 836
  • 7
  • 13
kevin.conner
  • 11
  • 6
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-ask). – Community Sep 16 '21 at 21:07
0

To add to kevin.conner's answer, the last link changed to https://quarkus.io/guides/security-oidc-code-flow-authentication-concept#running-quarkus-application-behind-a-reverse-proxy

Milad
  • 836
  • 7
  • 13