Keycloak Docker日志包含反向代理的IP

编程问答 2022-08-23

问题描述

我有以下docker-compose文件:

version: '2.3'

services:
  postgres:
    image: postgres
    restart: unless-stopped
    volumes:
      - ./postgres_data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=keycloak
      - POSTGRES_USER=keycloak
      - POSTGRES_PASSWORD=password
  keycloak:
    image: jboss/keycloak
    restart: unless-stopped
    command: -b 0.0.0.0 -Djboss.bind.address.private=127.0.0.1
    environment:
      - DB_VENDOR=POSTGRES
      - DB_ADDR=postgres
      - DB_DATABASE=keycloak
      - DB_USER=keycloak
      - DB_SCHEMA=public
      - DB_PASSWORD=password
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=password
      - PROXY_ADDRESS_FORWARDING=true
    ports:
      - "2600:8443"
    depends_on:
      - postgres

networks:
  default:
    driver: bridge
    enable_ipv6: true
    ipam:
      config:
        - subnet: "172.26.0.0/24"
        - subnet: "fc00:2600::/96"

以及以下nginx配置

server {
  listen 80;
  server_name sso.domain.de;

  location / {
    return 301 https://sso.domain.de$request_uri;
  }

  location /.well-known/acme-challenge/ {
    root /var/www/certbot/sso.domain.de/;
  }
}

server {
  listen 443 ssl;
  server_name sso.domain.de;

  ssl_certificate /etc/letsencrypt/live/sso.domain.de/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/sso.domain.de/privkey.pem;

  include /etc/nginx/ssl/options-ssl-nginx.conf;
  ssl_dhparam /etc/nginx/ssl/ssl-dhparams.pem;

  client_max_body_size 200M;

  location / {
    proxy_pass https://keycloak-server:2600/;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
  }
}

该配置可以正常运行。要使用fail2ban查找错误的登录尝试,我需要客户端的正确IP地址。但是我在Keycloak日志中得到的仍然是负载均衡器的IP(它似乎忽略了PROXY_ADDRESS_FORWARDING = true)

keycloak_1  | 14:46:54,726 WARN  [org.keycloak.events] (default task-3) type=LOGIN_ERROR,realmId=myrealm,clientId=frontend,userId=d25b66b4-5b9e-45bd-94dc-14a447f47cc2,ipAddress=loadbalancer-ip,error=invalid_user_credentials,auth_method=openid-connect,auth_type=code,redirect_uri=https://frontend.domain.de/sso/login,code_id=07fca7fd-4f5b-415a-b7e1-a4d358693a88,username=badman,authSessionParentId=07fca7fd-4f5b-415a-b7e1-a4d358693a88,authSessionTabId=EIUTSY8Mxwk
keycloak_1  | 14:46:54,732 WARN  [org.keycloak.services] (Brute Force Protector) KC-SERVICES0053: login failure for user d25b66b4-5b9e-45bd-94dc-14a447f47cc2 from ip loadbalancer-ip

有什么想法吗?

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

dockerdocker-composefail2bankeycloakreverse-proxy

相关问答

导入项目后报错问题
依赖报错 idea导入项目后依赖报错,解决方案:https://blog....
idea不能识别yaml文件
使用mybatis plus常见错误
错误1:代码生成器依赖和mybatis依赖冲突 启动项目时报错如下...
gradle常见问题与错误
错误1:gradle项目控制台输出为乱码 # 解决方案:https://bl...
Mybatis Plus传入参数0不起作用
错误还原:在查询的过程中,传入的workType为0时,该条件不起...
linux中make编译源码包失败
报错如下,gcc版本太低 ^ server.c:5346:31: 错误:‘struct...