I have a cloud load balancer/virtual server/firewall
sitting in front of a collection of Quarkus
pods that almost acts like a reverse proxy. Traffic comes in through that public entry point and is rerouted to the internal network.
We're using Azure B2C to log into the application and that's working great when you're directly accessing the pod or the internal load balancer.
The issue is that when using the external load balancer, the redirect uri is in the context of the internal network which is not accessible from the public side.
Is there a way to set the redirect uri to our outside server to an absolute uri instead of the relative one? The documentation is clear that it's relative but I didn't see any way to redirect it to a custom uri. Or is this a completely wrong approach when it comes to security? I get that I can try to reconfigure the external load balancer but would like a quick way to set the redirect uri. I know this is possible in other frameworks.
this works:
https://pod1:8080
this works too:
https://internal-load-balancer:8080
this doesn't work:
https://external-load-balancer:8080
(redirect uri is the internal-load-balancer)
Additional information if it helps. We're using the auth code flow and quarkus-oidc
automatically sets the redirect url as a relative path. I'm not sure if there is a way to override the redirect uri to our external load balancer instead of internal.
Solved: I had to configure the x-forwarded/reverse proxy to read the original source:
I had to configure the x-forwarded/reverse proxy to read the original source. I added this to the application.properties:
quarkus.http.proxy.proxy-address-forwarding=true
quarkus.http.proxy.allow-forwarded=false
quarkus.http.proxy.enable-forwarded-host=true
quarkus.http.proxy.forwarded-host-header=X-ORIGINAL-HOST
This enables the application to look at the x-forwarded headers, not look at the forwarded header (default is false), enable the x-forwarded-host header, and override the x-forwarded-host property to use a custom header name.
My internal load balancer has a bug where it will overwrite the x-forwarded-host with the internal name regardless if the x-forwarded-host already exists. I also had to configure my external load balancer to add an additional custom header (x-original-host but the name in arbitrary) so my internal load balancer wouldn't override it.
Once Quarkus was configured, the redirect uri used the new custom header to build the redirect uri that pointed to the external load balancer and everything worked as expected.