[keycloak-user] ssl apache2 difficulties
mj
lists at merit.unu.edu
Thu Nov 17 10:52:31 EST 2016
Hi,
The keycloak docs recommend to run keycloak over ssl. Doing that
directly in java seems quite tricky, so I decided to put an apache2
reverse proxy before keycloak, using Let's Encrypt ssl certificates.
I can't seem to find many official docs on this subject, but after a ot
of googling, I think I'm very close.
The main keycloak interface on
https://keycloak.company.com/auth
loads, using ssl, everything looks good.
The "administration console" link on that page goes to
https://keycloak.company.com/auth/admin/
So the link was generated good also.
However, actually clicking it, I end up somewhere else, namely:
http://keycloak.company.com/auth/admin/master/console/
NOT good, not anymore https, and thus we're getting "unable to connect".
Here are two configs I did: first the apache2 keycloak.conf:
> <VirtualHost *:443>
> ServerAdmin webmaster at keycloak.company.com
> ServerName keycloak.company.com
> DocumentRoot /var/www/html
>
> ProxyPreserveHost On
> ProxyVia Off
> ProxyRequests Off
> ProxyPass / "http://localhost:8080/"
> ProxyPassReverse / "http://localhost:8080/"
>
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> LogLevel info ssl:warn
> ErrorLog ${APACHE_LOG_DIR}/keycloak-error.log
> CustomLog ${APACHE_LOG_DIR}/keycloak-access.log combined
>
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
> SSLCertificateFile /etc/ssl/apache2/cert.pem
> SSLCertificateKeyFile /etc/ssl/apache2/cert.key
> SSLCertificateChainFile /etc/ssl/apache2/fullchain.pem
>
> </VirtualHost>
and I guess I need to make two changes to standalone.xml as well, lines
358 and 422:
edited line 385 to:
> <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
inserted this line at line 422:
> <socket-binding name="proxy-https" port="443"/>
Is there somewhere a place where the required details are outlined to
make this work? Seems I'm pretty close, and just missing some minor
detail somewhere...
Best regards,
MJ
More information about the keycloak-user
mailing list