[keycloak-user] ssl apache2 difficulties

mj lists at merit.unu.edu
Thu Nov 17 10:52:31 EST 2016 

Hi,

The keycloak docs recommend to run keycloak over ssl. Doing that 
directly in java seems quite tricky, so I decided to put an apache2 
reverse proxy before keycloak, using Let's Encrypt ssl certificates.

I can't seem to find many official docs on this subject, but after a ot 
of googling, I think I'm very close.

The main keycloak interface on
  https://keycloak.company.com/auth
loads, using ssl, everything looks good.

The "administration console" link on that page goes to
  https://keycloak.company.com/auth/admin/
So the link was generated good also.

However, actually clicking it, I end up somewhere else, namely:
http://keycloak.company.com/auth/admin/master/console/
NOT good, not anymore https, and thus we're getting "unable to connect".


Here are two configs I did: first the apache2 keycloak.conf:

> <VirtualHost *:443>
> 		ServerAdmin webmaster at keycloak.company.com
 > 		ServerName keycloak.company.com
> 		DocumentRoot /var/www/html
>
>     ProxyPreserveHost       On
>     ProxyVia                Off
>     ProxyRequests           Off
>     ProxyPass               /       "http://localhost:8080/"
>     ProxyPassReverse        /       "http://localhost:8080/"
>
>
> <Proxy *>
>     Order deny,allow
>     Allow from all
> </Proxy>
>
> 		LogLevel info ssl:warn
> 		ErrorLog ${APACHE_LOG_DIR}/keycloak-error.log
> 		CustomLog ${APACHE_LOG_DIR}/keycloak-access.log combined
>
>
> 		#   SSL Engine Switch:
> 		#   Enable/Disable SSL for this virtual host.
> 		SSLEngine on
> 		SSLCertificateFile	/etc/ssl/apache2/cert.pem
> 		SSLCertificateKeyFile /etc/ssl/apache2/cert.key
> 		SSLCertificateChainFile /etc/ssl/apache2/fullchain.pem
>
> </VirtualHost>

and I guess I need to make two changes to standalone.xml as well, lines 
358 and 422:

edited line 385 to:
>  <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>

inserted this line at line 422:
> <socket-binding name="proxy-https" port="443"/>

Is there somewhere a place where the required details are outlined to 
make this work? Seems I'm pretty close, and just missing some minor 
detail somewhere...

Best regards,
MJ

More information about the keycloak-user mailing list