Auth via reverse proxy if keycloak not accessible for external network

[andys448]

Hi!

first of all, adapter is awesome- it works great :)

Maybe it is possible to configure authorization if the keylock is not accessible to the external network? For example, using custom locations in meet.conf ?

[emrahcom]

Hi @andys448,

Could you tell more about the case you want to handle?

If I undersand correctly, Keycloak is not accessible for some participants in this case and they get unreacheable address message after redirection (from Jitsi to Keycloak). You are suggesting to check the accessibility of Keycloak before redirection and to redirect the participants to an alternative address if Keycloak is not accessible for them. Is this correct?

[andys448]

Hi Emrah! Almost correct, I would like login to KeyCloak at jitsi.company.com/auth (keycloak will be available here). Is it possible? keycloak does not have its own DNS entry in the external zone and is not available from internet.

[emrahcom]

So in some cases, Keycloak's address will be different for frontend and backend. I need to work on this a bit. I think it would be a good feature.

[emrahcom]

Hi @andys448,

Looks like this is already available. There are two config parameters for Keycloak's address:

• KEYCLOAK_ORIGIN
• KEYCLOAK_ORIGIN_INTERNAL

https://github.com/nordeck/jitsi-keycloak-adapter/blob/main/config.ts#L1-L5

KEYCLOAK_ORIGIN_INTERNAL copies the value set for KEYCLOAK_ORIGIN by default but it is possible to set different values for them.

So, you may set KEYCLOAK_ORIGIN by using the external address and KEYCLOAK_ORIGIN_INTERNAL by using the internal address:

export const KEYCLOAK_ORIGIN = "https://jitsi.company.com/auth";
export const KEYCLOAK_ORIGIN_INTERNAL = "https://keycloak-internal.company.com"

[andys448]

Hi @emrahcom

I tried this but without any luck

When I set these two variables, during authorization and redirection to keycloak I end up in an endless loop, which at the end returns error 502. I don’t see any hits in the keycloak logs.

I also trying set proxy_pass in meet.conf

location = /kc-auth {
    proxy_pass https://keycloak_host/auth/;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
}

It almost works. But here I get an error from keycloak that no cookies were found

In my case, I want to proxy the connection to keycloak via an external jitsi address.
At the same time, keycloak has its own address for use within the network.

[emrahcom]

Hi @andys448,

I did some tests. It didn't work completely but I made some progress.

In my test environment:

• my Jitsi: https://jitsi.mydomain.corp
• my Keycloak: https://ucs-sso-ng.mydomain.corp

I added two locations into Nginx config to use it as a reverse proxy for Keycloak:

    location ~ /realm {  
        proxy_pass https://ucs-sso-ng.mydomain.corp;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host "ucs-sso-ng.mydomain.corp";
        proxy_ssl_verify off;
    }                    
                         
    location ~ /resources {
        proxy_pass https://ucs-sso-ng.mydomain.corp;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host "ucs-sso-ng.mydomain.corp";
        proxy_ssl_verify off;

And I updated jitsi-keycloak-adapter's config.ts as the following:

export const KEYCLOAK_ORIGIN = "https://jitsi.mydomain.corp";
export const KEYCLOAK_ORIGIN_INTERNAL = "https://ucs-sso-ng.mydomain.corp";

The issue in this case, the (POST's) target is still the orginal address of Keycloak in Keycloak's login page.

[andys448]

@emrahcom

Many thanks for your reply!

Yep, the same issue with keycloak address on final login page.
Maybe you have ideas on how to fix this?(

[emrahcom]

I don't know if there is a parameter for this on Keycloak side. You may update Keycloak response on the reverse proxy as a hacky solution. For example, the location should be like the following for my environment in this case:

    location ~ /realms {                        
        proxy_pass https://ucs-sso-ng.mydomain.corp;
        proxy_http_version 1.1;                 
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host "ucs-sso-ng.mydomain.corp";
        proxy_ssl_verify off;                   
        proxy_set_header Accept-Encoding "";    
        sub_filter "ucs-sso-ng.mydomain.corp" "jitsi.mydomain.corp";
        sub_filter_once off;                    
    } 

sub_filter updates the address in this example. subs-filter module must be installed. For Debian:

apt-get install libnginx-mod-http-subs-filter

[andys448]

I'll try to check this.

Many thanks!!