Redirect behind Proxy

[belfhi]

I have a setup where my Apache sits behind a proxy (nginx ingress controller)
and listens on port 8443.
The Location of the OIDC protected part is very simple

 <Location /oidc>
    AuthType openid-connect
    Require valid-user
</Location>

If I send a request to /oidc/ everything works fine, I get redirected to Keycloak
and after authentication I land back on my protected page.

If I request /oidc WITHOUT THE SLASH i get redirected to the container port 8443, not the https port 443
and this redirect fails.

Any ideas where my setup is wrong?
My OIDC settings are very generic, I also set OIDCXForwardedHeaders as per FAQ.:

<IfModule auth_openidc_module>
    OIDCProviderIssuer ${OIDC_PROVIDER}${OIDC_REALM}
    OIDCProviderAuthorizationEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/auth
    OIDCProviderJwksUri ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/certs
    OIDCProviderTokenEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/token
    OIDCProviderUserInfoEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/userinfo
    OIDCSSLValidateServer On
    OIDCRedirectURI ${OIDC_REDIRECT_URI}
    OIDCCryptoPassphrase ${OIDC_CRYPT}
    OIDCClientID ${OIDC_CLIENT}
    OIDCClientSecret ${OIDC_SECRET}
    OIDCRemoteUserClaim preferred_username
    OIDCInfoHook userinfo
    OIDCXForwardedHeaders X-Forwarded-Host
</IfModule>

Help / Input would be appreciated!
Cheers.

[zandbelt]

it would be good to check what ${OIDC_REDIRECT_URI} is set to, plus you need to make sure that the ingress controller forwards the port in the X-Forwarded-Host header or set it explicitly in X-Forwarded-Port (it looks like it does so for /oidc/ but not for /oidc)

[belfhi]

My redirect_uri is a relative URL /oidc/redirect_uri which I see in Keycloak as https://HOSTNAME:443/oidc/redirect_uri.
This is the same for both cases, when I try to access /oidc and /oidc/ but only the latter works. I'll try to find out what headers my ingress sets.

[belfhi]

So I checked the Headers using the echo-server:

Request served by echo-server-668c56db6-559w8

HTTP/1.1 GET /echo

Host: HOST
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-DE;q=0.8,en;q=0.7,en-US;q=0.6
Cookie: COOKIE
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
X-Forwarded-For: IP
X-Forwarded-Host: HOST
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Scheme: https
X-Real-Ip: HOST
X-Request-Id: 7bf9df84cc78416ef3ab17e0f37dc2ee
X-Scheme: https

Everything seems correct.
How do I set OIDCXForwardedHeaders, so that Host and Scheme are used but the port is not appended to the redirect_uri?

[zandbelt]

set it to OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto but you still have to make sure those same headers are forwarded by the ingress proxy for both /oidc and /oidc/

[belfhi]

I'm afraid that didn't work, either. I even tried to add

UseCanonicalName Off
UseCanonicalPhysicalPort Off

In my VirtualHost directive.

Also, the ingress works on / so I don't thnk it distinguishes betwenn /oidc and /oidc/

[belfhi]

okay, so adding

ServerName https://HOST:443

seemed to have worked. I need to set up oidc-agent to test with curl, browser caches are killing me :D