Why does RH-SSO ignore the X-Forwarded-Host header?

Solution In Progress - Updated -

Issue

I am having trouble setting up load balancing with RH-SSO. I am using apache/mod_proxy as the loadbalancer.

I set proxy-address-forwarding to true on the http-listener as described in the docs and I configured apache to send the X-Forwarded-Proto, X-Forwarded-For and X-Forwarded-Host header. When I try to log into the admin console, I get forwarded directly to RH-SSO (by passing the proxy). Here is what the request and redirect look like (proxy address is localhost:9090, rh-sso address is localhost:8080):

12:15:57,197 INFO  [io.undertow.request.dump] (default task-1)
----------------------------REQUEST---------------------------
               URI=/auth/admin
 characterEncoding=null
     contentLength=-1
       contentType=null
            header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            header=Accept-Language=en-US,en;q=0.5
            header=Accept-Encoding=gzip, deflate
            header=X-Forwarded-Server=dehort-t460p.clintoncable.net
            header=User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
            header=Connection=Keep-Alive
            header=X-Forwarded-Proto=http
            header=X-Forwarded-For=127.0.0.1
            header=Upgrade-Insecure-Requests=1
            header=Host=127.0.0.1:8080
            header=X-Forwarded-Host=127.0.0.1:9090
            locale=[en_US, en]
            method=GET
          protocol=HTTP/1.1
       queryString=
        remoteAddr=127.0.0.1:0
        remoteHost=127.0.0.1
            scheme=http
              host=127.0.0.1:8080
        serverPort=0
--------------------------RESPONSE--------------------------
     contentLength=0
       contentType=null
            header=Connection=keep-alive
            header=X-Powered-By=Undertow/1
            header=Server=JBoss-EAP/7
            header=Location=http://127.0.0.1:8080/auth/admin/master/console/
            header=Content-Length=0
            header=Date=Tue, 22 Nov 2016 18:15:57 GMT
            status=302

I run into a similar issue when trying to use an OIDC client. In that case, the client redirects me correctly to the proxy address (I set the address manually in the client's keycloak section of the standalone.xml). However, the action of the login form that I end up at is pointed directly at the RH-SSO instance instead of the proxy. The form itself, images and woff files are getting served up by the proxy though.

Is there something that needs to be configured so that the proxying will work correctly?

Environment

  • Red Hat Single Sign-On
    • 7.0.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content