feat(jans-linux-setup): put KC behind apache (#7092)

Signed-off-by: Mustafa Baser <mbaser@mail.com>
JanssenProject · Dec 14, 2023 · 2c545c3 · 2c545c3
1 parent 30139d3
commit 2c545c3
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 12 deletions.
diff --git a/jans-linux-setup/jans_setup/setup_app/installers/jans_saml.py b/jans-linux-setup/jans_setup/setup_app/installers/jans_saml.py
@@ -16,7 +16,6 @@
 
 # Config
 Config.idp_config_http_port = '8083'
-Config.idp_config_hostname = 'localhost'
 Config.jans_idp_enabled = 'true'
 Config.jans_idp_realm = 'jans-api'
 Config.jans_idp_client_id = f'jans-api-{uuid.uuid4()}'
@@ -29,10 +28,6 @@
 Config.jans_idp_ignore_validation = 'true'
 Config.jans_idp_idp_metadata_file = 'idp-metadata.xml'
 
-# change this when we figure out this
-Config.keycloack_hostname = 'localhost'
-
-
 class JansSamlInstaller(JettyInstaller):
 
     install_var = 'install_jans_saml'
@@ -84,6 +79,10 @@ def __init__(self):
         Config.jans_idp_sp_metadata_root_dir = os.path.join(self.idp_config_root_dir, 'sp/metadata')
         Config.jans_idp_sp_metadata_temp_dir = os.path.join(self.idp_config_root_dir, 'sp/temp_metadata')
 
+        Config.idp_config_hostname = Config.hostname
+        Config.keycloack_hostname = Config.hostname
+
+
     def install(self):
         """installation steps"""
         self.create_scim_client()
@@ -188,7 +187,7 @@ def config_api_idp_plugin_config(self):
             time.sleep(5)
             try:
                 self.logIt("Connecting KC")
-                s.connect((Config.idp_config_hostname, int(Config.idp_config_http_port)))
+                s.connect(('localhost', int(Config.idp_config_http_port)))
                 self.logIt("Successfully connected to KC")
                 break
             except Exception:
@@ -197,7 +196,7 @@ def config_api_idp_plugin_config(self):
             self.logIt("KC did not start in 120 seconds. Giving up configuration", errorLog=True, fatal=True)
 
         kcadm_cmd = '/opt/keycloak/bin/kcadm.sh'
-        kcm_server_url = f'http://{Config.idp_config_hostname}:{Config.idp_config_http_port}/'
+        kcm_server_url = f'http://localhost:{Config.idp_config_http_port}/kc'
         env = {'JAVA_HOME': Config.jre_home}
 
         with tempfile.TemporaryDirectory() as tmp_dir:

diff --git a/jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py b/jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py
@@ -268,7 +268,6 @@ def collect(self):
                     ('jans_idp_ignore_validation', 'ignoreValidation')
                     ):
                 if json_prop in jans_idp_config:
-                    print("Exsits", json_prop, jans_idp_config[json_prop])
                     setattr(Config, config_var, jans_idp_config[json_prop])
 
 

diff --git a/jans-linux-setup/jans_setup/static/system/systemd/kc.service b/jans-linux-setup/jans_setup/static/system/systemd/kc.service
@@ -7,7 +7,8 @@ Type=simple
 Environment="JAVA_HOME=%(jre_home)s"
 Environment="KEYCLOAK_ADMIN=admin"
 Environment="KEYCLOAK_ADMIN_PASSWORD=admin"
-ExecStart=%(idp_config_data_dir)s/bin/kc.sh start-dev --http-port %(idp_config_http_port)s --log="console,file" --log-file="%(idp_config_data_dir)s/logs/keycloak.log" -Dlog.base="%(idp_config_data_dir)s/logs/%(service_name)s.log" -Djans.config.prop.path="%(idp_config_providers_dir)s"
+ExecStart=%(idp_config_data_dir)s/bin/kc.sh start-dev --log="console,file" --proxy edge --hostname=%(hostname)s --hostname-admin=%(hostname)s --hostname-path=/kc --hostname-strict-https=true --http-enabled=true --http-relative-path=/kc --http-host=127.0.0.1 --http-port=%(idp_config_http_port)s --log="console,file" --log-file="%(idp_config_data_dir)s/logs/keycloak.log" -Dlog.base="%(idp_config_data_dir)s/logs/%(service_name)s.log" -Djans.config.prop.path="%(idp_config_providers_dir)s"
+
 User=jetty
 Group=jetty
 

diff --git a/jans-linux-setup/jans_setup/templates/apache/https_jans.conf b/jans-linux-setup/jans_setup/templates/apache/https_jans.conf
@@ -31,8 +31,7 @@
     Header always set X-Content-Type-Options nosniff
     # Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://%(hostname)s"
     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
-
-    Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
+
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
     # Unset X-ClientCert to make sure that we not get certificate in request
@@ -62,37 +61,43 @@
     </Proxy>
 
     <Location /jans-scim>
+        Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
         ProxyPass http://localhost:8087/jans-scim retry=5 connectiontimeout=60 timeout=60
         Order deny,allow
         Allow from all
     </Location>
 
     <Location /jans-fido2>
+        Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
         ProxyPass http://localhost:8073/jans-fido2 retry=5 connectiontimeout=60 timeout=60
         Order deny,allow
         Allow from all
     </Location>
 
     <Location /jans-auth>
+        Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
         ProxyPass http://localhost:8081/jans-auth retry=5 connectiontimeout=60 timeout=60
         # Header set Access-Control-Allow-Origin "*"
         Order deny,allow
         Allow from all
     </Location>
 
     <Location /jans-config-api>
+        Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
         ProxyPass http://localhost:8074/jans-config-api retry=5 connectiontimeout=60 timeout=60
         Order deny,allow
         Allow from all
     </Location>
 
     <Location /jans-eleven>
+        Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
         ProxyPass http://localhost:8075/jans-eleven retry=5 connectiontimeout=60 timeout=60
         Order deny,allow
         Allow from all
     </Location>
 
     <Location /jans-casa>
+        Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
         ProxyPass http://localhost:%(casa_web_port)s/jans-casa retry=5 connectiontimeout=60 timeout=60
         Order deny,allow
         Allow from all 
@@ -107,6 +112,12 @@
         RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
     </LocationMatch>
 
+    <Location /kc>
+     ProxyPass http://localhost:8083/kc retry=5 connectiontimeout=60 timeout=60
+     Order deny,allow
+     Allow from all
+    </Location>
+
     ProxyPass   /.well-known/openid-configuration http://localhost:8081/jans-auth/.well-known/openid-configuration
     ProxyPass   /.well-known/webfinger http://localhost:8081/jans-auth/.well-known/webfinger
     ProxyPass   /.well-known/uma2-configuration http://localhost:8081/jans-auth/restv1/uma2-configuration

diff --git a/jans-linux-setup/jans_setup/templates/jans-saml/jans-saml-config.json b/jans-linux-setup/jans_setup/templates/jans-saml/jans-saml-config.json
@@ -4,7 +4,7 @@
   "trustedIdpDn":"ou=trusted-idp,o=jans",
   "enabled": "true",
   "selectedIdp": "keycloak",
-  "serverUrl":"https://${keycloack_hostname}",
+  "serverUrl":"https://${keycloack_hostname}/kc",
   "realm": "${jans_idp_realm}",
   "clientId": "${jans_idp_client_id}",
   "clientSecret": "${jans_idp_client_secret}",