Gluu behind reverse proxy Sign In Infinite Redirects

By: Yi Sheng Yap user 28 Nov 2016 at 7:42 p.m. CST

6 Responses
Yi Sheng Yap gravatar
Hi, This is related to [https://support.gluu.org/customization/3493/gluu-behind-reverse-proxy/](https://support.gluu.org/customization/3493/gluu-behind-reverse-proxy/) The goal is to run Gluu running behind a reverse proxy so we can have dynamic assign domain, 1 of the method mentioned at [https://gluu.org/docs/faq/general/#how-do-i-change-hostname-andor-ip-address-andor-listening-port-of-my-gluu-server](https://gluu.org/docs/faq/general/#how-do-i-change-hostname-andor-ip-address-andor-listening-port-of-my-gluu-server) I've a git repo with the reverse proxy Docker for reference at [https://github.com/o20ne/httpd-reverse-proxy](https://github.com/o20ne/httpd-reverse-proxy) Currently, the reverse proxy can view the sign in page but after sign in, it hits a redirect loop. I'm not really sure what to configure but I've tried editing **oxTrust Admin GUI** under **OpenId Connect Clients**, adding redirect URLs without success. I've tried to add a new client but not sure where to get the existing secret. Secret should be same as **oxTrust Admin GUI**? Thanks & Regards, YS
CentOS72
closed

Answers

By Michael Schwartz Account Admin 28 Nov 2016 at 8:03 p.m. CST

Copy
Michael Schwartz gravatar
I have no idea... this is a network problem out of scope of our support. We assume the Gluu Server is Internet facing on port 443. If you put something in front of it, it's your responsibility to make sure that traffic routes properly to and from the Gluu Server.

By Yi Sheng Yap user 28 Nov 2016 at 8:11 p.m. CST

Copy
Yi Sheng Yap gravatar
Hi Michael, Thanks for the fast response. The network from proxy to the Gluu Server is actually working. I'm trying to configure the Gluu Server, to avoid the redirects. Can you please help by guiding me to where/how to duplicate a existing OpenId Connect Client, reading existing secret. So I can create a new Client with different domains. Regards, YS

By Michael Schwartz Account Admin 28 Nov 2016 at 8:37 p.m. CST

Copy
Michael Schwartz gravatar
Check the client entry under ou=clients,o=(org-inum),o=gluu But if the client secret is hashed (which I think it may be in 2.4.4), there is no way to get the client secret after registration. If you are using the default client for oxtrust, check `/install/commmunity-edition-setup/setup.properties.last` Why don't you just update the client in oxTrust or in LDAP ?

By Yi Sheng Yap user 28 Nov 2016 at 9 p.m. CST

Copy
Yi Sheng Yap gravatar
Hi Michael, > But if the client secret is hashed (which I think it may be in 2.4.4), there is no way to get the client secret after registration. Got it. > Why don't you just update the client in oxTrust or in LDAP ? Tried it before with adding new "Redirect Login URIs" and "Redirect Logout URIs". Makes no difference. Will try with removing old URIs now. Thanks & Regards, YS

By Michael Schwartz Account Admin 28 Nov 2016 at 9:14 p.m. CST

Copy
Michael Schwartz gravatar
If you are using a proxy that changes hostnames, I sort of doubt this will work. If you could provide a diagram that shows exactly what you are trying to do, with all the hostnames, it would help to clarify your design.

By Stefan Sels user 28 Feb 2017 at 6:32 a.m. CST

Copy
Stefan Sels gravatar
the reverseproxy hostname must match the name you gave in setup.py (it will use this name in redirects).

Post an answer