Some api methods are not authorized behind https reverse proxy

[tartina]

Description

When behind https reverse proxy, GET request are autorized, all other methods are not.

Registry
Version: 2.5.8.Final
Persistence type: sql

Environment

JAVA_HOME=/usr/lib/jvm/java-17
KEYCLOAK_URL=https://keycloak.xxx.xxx/auth
KEYCLOAK_REALM=registry
REGISTRY_APIS_V2_DATE_FORMAT=yyyy-MM-dd'T'HH:mm:ss'Z'
REGISTRY_UI_CONFIG_APIURL=https://apicurio.xxx.xxx:443/apis/registry
REGISTRY_UI_CONFIG_UIURL=https://apicurio.xxx.xxx:443/ui
REGISTRY_LOG_LEVEL=DEBUG
REGISTRY_URL_OVERRIDE_PORT=443
REGISTRY_URL_OVERRIDE_HOST=apicurio.xxx.xxx
REGISTRY_AUTH_ENABLED=true
REGISTRY_AUTH_RBAC_ENABLED=true
REGISTRY_AUTH_ANONYMOUS_READ_ACCESS_ENABLED=true
REGISTRY_AUTH_OBAC_ENABLED=false
ENABLE_ACCESS_LOG=true

Steps to Reproduce

Use a HTTPS reverse proxy in front of both keycloak and apicurio

1. Login with sr-admin role user
2. You see all options in the UI
3. Try to create some artifacts or to change options
4. You get access denied

Expected vs Actual Behaviour

The sr-admin user can create or modify artifacts and change options

The sr-admin user can only read objects (only GET works)

Logs

DELETE request NOT working (note user is "-")

Mar 15 09:45:51 ocpproxy java[1440098]: 2024-03-15 09:45:51 INFO <> [io.quarkus.vertx.http.runtime.filters.accesslog.JBossLoggingAccessLogReceiver] (vert.x-eventloop-thread-1) "apicurio-registry.access method="DELETE" path="/apis/registry/v2/groups/default/artifacts/3f63e65d-b483-4c40-af7c-6870890a076d" response_code="403" response_time="-" remote_ip="127.0.0.1" remote_user="-" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36""

GET request working (user is correct "myuser")

Mar 15 09:51:37 ocpproxy java[1440098]: 2024-03-15 09:51:37 INFO <_> [io.quarkus.vertx.http.runtime.filters.accesslog.JBossLoggingAccessLogReceiver] (executor-thread-31) "apicurio-registry.access method="GET" path="/apis/registry/v2/groups/default/artifacts/3f63e65d-b483-4c40-af7c-6870890a076d/rules" response_code="200" response_time="-" remote_ip="127.0.0.1" remote_user="myuser" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36""

Notes

This problem is only present behind a proxy, if direct access is enabled everything works well.
Tried both Apache and Nginx

<VirtualHost apicurio.xxx.xxx>
#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
ServerName apicurio.servizi.inps:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/apicurio_ssl_error_log
TransferLog logs/apicurio_ssl_access_log
LogLevel warn
SSLCertificateFile /etc/pki/tls/certs/service.pem
SSLCertificateKeyFile /etc/pki/tls/private/service-key.pem
<Location />
  ProxyPreserveHost Off
  ProxyPass "http://localhost:8080/"
  ProxyPassReverse "https://apicurio.xxx.xxx/"
  RequestHeader set X-Forwarded-Proto "https"
  RequestHeader set X-Forwarded-Port "443"
  ProxyPassReverseCookieDomain localhost apicurio.xxx.xxx
</Location>
</VirtualHost>

[apicurio-bot]

Thank you for reporting an issue!

Pinging @jsenko to respond or triage.