Shinyproxy and Keycloak behind same SSL load balancer, containers


#1

Hi,

I am trying to set up shinyproxy and keycloak as containers, both behind same HAProxy configured as SSL terminator.

keycloak container exposes port 8080 to docker network A
shinyproxy container exposes port 21001 to docker network B
container with haproxy acts as SSL terminator serving two names:
mykeycloak.example.com (https) talking to keycloak:8080 over network A
myshiny.example.com (https) talking to shinyproxy:21001 over network B

keycloak has been configured to honour the X-Forwarded-For field.

hitting myshiny… correctly redirects to mykeycloak… but after authentication the browser complaints of too many redirections.

I have added the certificate used in the HAProxy to the shinyproxy container cacerts and the log indicates multiple attempts that fail with a “the certificate for mykeycloak… is not in the list of alternate names” of the certificate used in HAProxy. This is true, neither of these hostnames are in the list of the (letsencrypt) certificate.

What baffles me is why the errors point to certificate problems in my shinyproxy container when trafic should be HTTP behind the load balancer.

I am trying to emulate a situation in which the auth provider and shinyproxy are separate hosts and both behind SSL reverse proxies. Using HAProxy in this configuration because I’ve been given only one internal IP address to experiment.

Any pointers to how to solve will be appreciated. Using Rancher as container manager, all stacks in single host.

Thanks,
–c


#2

Hi @rifius,

Getting certificate errors on the shinyproxy side is indeed strange in this scenario…
Here are some things you could check:

When you hit https://myshiny.example.com you should be getting 2 redirects:
First going to /sso/login
Then going to https://mykeycloak.example.com/.../auth?response_type=code&redirect_uri=https%3A%2F%2Fmyshiny.example.com%2Fsso%2Flogin

Can you verify that the redirect_uri parameter is https?
If not, try setting this in shinyproxy application.yml:

server:
  useForwardHeaders: true

#3

Thanks @fmichielssen,

Both redirects happen, but the second has …&redirect_uri=http%3A%2F… , not https as I expected.

I will definitely try setting this in application.yml, once I solve another problem (posted in a separate question).

Thanks,
–c