K
Q

Traefik & Keycloak: error SSL_ERROR_RX_RECORD_TOO_LONG

9/19/2018

I use an HAProxy to redirect all requests from 80 port to a 443 and using a NodePort to enter on a traefik-ingress-controller (v1.6.6, inside a Kubernetes cluster).

Here the HAProxy.conf:

frontend http-frontend                                                                                                               
       bind *:80                                                                                                                     
       reqadd X-Forwarded-Proto:\ http                                                                                               
       default_backend http_app                                                                                                      

frontend https-frontend                                                                                                             
        bind *:443 ssl crt /etc/ssl/certs/my-cert.pem                                                                   
        reqadd X-Forwarded-Proto:\ https                                                                                            
        default_backend traefik_app                                                                                                 

backend http_app                                                                                                                    
    redirect scheme https if !{ ssl_fc }                                                                                        

backend traefik_app                                                                                                             
    server traefik localhost:30010 check

Every application running on my Kubernetes cluster has an Ingress.

Among them I have a Keycloak pod (v4.1.0, for the authentication) with this ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: keycloak
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: login.myapp.it
    http:
      paths:
      - backend:
          serviceName: keycloak
          servicePort: 8080

Here a picture:

enter image description here

When I connect to https://login.myapp.it/auth/admin/ I get redirected to https://login.myapp.it:80/auth/admin/master/console/ (note the port 80) and I received an SSL_ERROR_RX_RECORD_TOO_LONG error.

Someone has some hints for this redirect issue with keycloak behind proxy?

Thank you in advance.

-- Nicola Ben
haproxy
keycloak
kubernetes
traefik

Similar Questions

Install an ELK stack on OpenShift
Variable value as yaml key in helm chart
What is the CLI equivalent of "exposing an API" in the Kyma console
Hostname verification failed in OpenShift when integration a external service using an External Domain Name

2 Answers

10/11/2018

I solved my issue using the following traefik annotation:

traefik.frontend.passHostHeader: "true"

that forwards client Host header to the backend.

Here a complete ingress example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: keycloak
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.passHostHeader: "true"
spec:
  rules:
  - host: login.myapp.it
    http:
      paths:
      - backend:
          serviceName: keycloak
          servicePort: 8080

In alternative I may have added to haproxy.cfg the following:

reqadd X-Forwarded-Port:\ 443

-- Nicola Ben
Source: StackOverflow
9/19/2018

Sounds like you are missing your TLS certs on your ingress:

$ kubectl -n kube-system create secret tls your-k8s-tls-secret --key=tls.key --cert=tls.crt

Then:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: keycloak
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  tls:
  - secretName: your-k8s-tls-secret
  rules:
  - host: login.myapp.it
    http:
      paths:
      - backend:
          serviceName: keycloak
          servicePort: 8080

Hope it helps!

-- Rico
Source: StackOverflow