[keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
Stian Thorgersen
sthorger at redhat.com
Wed Nov 15 09:55:46 EST 2017
Did you check the docs? Specifically
http://www.keycloak.org/docs/latest/server_installation/index.html#multicast-network-setup
On 15 November 2017 at 14:38, mahendra sonawale <mahson1 at gmail.com> wrote:
> Hello Cedric/Keycloak User comm,
>
> Sorry for getting back late over this. my set-up needs Admin team`s
> intervention to change the broadcast value hence the delay in response.
>
> I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to 0
>
> And also tested the multicast set-up message test with "McastReceiverTest"
> and "McastSenderTest" which works fine.
>
> BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.
>
> PFA the HA file which I am using in my configuration.
>
> IP addresses are dummy.
> Node 1 : 1.2.3.4
> Node 2 : 1.2.3.5
>
> This all I tried.
> 1) Start command - nohup ./bin/standalone.sh
> --server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
> 2) Tried to run both the nodes with public as well as private interface -
> but no luck.
> 3) I have hardware load balancer where SSL terminates. so domain will
> communicate to the both the nodes in round robin and both nodes should be
>
> 4) PFB the HTTPD Conf
>
> -------------------------
> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
> LoadModule remoteip_module modules/mod_remoteip.so
>
> ProxyPreserveHost On
> LimitRequestFieldSize 163840
> LimitRequestLine 163840
>
> #<VirtualHost _default_:80>
> ServerName rapid.gi-de.com:443
> ErrorLog /opt/keycloak/fiam_error_log
> CustomLog /opt/keycloak/fiam_access_log combined
> LogLevel warn
>
> RequestHeader set X-Forwarded-Proto "https"
>
> <Proxy https://abc.com/* >
> RewriteEngine on
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> # not rewrite css, js and images
> RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
> RewriteRule ^(.*)$ /auth [NC,L,QSA]
> #Options -Indexes FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
> </Proxy>
>
>
> ProxyPass /auth http://1.2.3.4:8080/auth
> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>
> ------------------
> And on 2nd node only proxy pass has change in IP address as 1.2.3.5
>
> 6) Server logs:
> 2017-11-15 14:03:06,255 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,256 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-7) ISPN000094: Received new cluster view for channel hibernate:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,259 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-8) ISPN000094: Received new cluster view for channel web:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,263 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000094: Received new cluster view for channel server:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,263 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-7) ISPN000079: Channel hibernate local address is
> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
> 2017-11-15 14:03:06,264 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000079: Channel server local address is
> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
> 2017-11-15 14:03:06,264 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-3) ISPN000094: Received new cluster view for channel ejb:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,265 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-3) ISPN000079: Channel ejb local address is
> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>
>
>
>
> ProxyPass /auth http://1.2.3.4:8080/auth
> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>
> Thanks,
> Mahendra
>
>
>
>
>
>
> On Thu, Nov 9, 2017 at 6:35 PM, Cédric Couralet <cedric.couralet at gmail.com
> >
> wrote:
>
> > 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
> > > (You can look for the value in
> > > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
> > >
> > > In our production linux env the value is 1 -- does that really
> affect??
> > > and would that be the only cause?
> > >
> >
> > Yes, it is important. At least for us, changing this value to 0 was
> > enough to have a working cluster.
> > As I understand it, the value 1 is a protection against DOS but, in
> > the case of Keycloak prevents each node to discover the others. In a
> > controlled environment (as recommended in the keycloak docs), I see no
> > problem enabling it.
> >
> > I'm far for expert, so maybe someone will have a better idea.
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list