[keycloak-user] Keycloak behind reverse proxy
Dmitry Telegin
dt at acutus.pro
Mon Dec 17 23:56:03 EST 2018
Hello Nikola,
You need to configure a x509cert-lookup SPI in your Keycloak config file. Check this out, there are examples for haproxy and Apache: https://www.keycloak.org/docs/latest/server_admin/#client-certificate-lookup
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Mon, 2018-12-17 at 15:39 +0100, Nikola Malenic wrote:
> I configured mutual-ssl authentication on Keycloak. That means that user
> coming to Keycloak does SSL handshake allowing Keycloak to extract data from
> client certificate and map that data to an existing user at Keycloak, and
> based on that authenticate the user.
>
>
>
> Now, I need to configure reverse proxy in front of Keycloak. I'm using
> Apache's httpd.
>
> The problem is that user's browser now does SSL handshake with the reverse
> proxy server instead of Keycloak and sends plain http request, disabling
> Keycloak to map and authenticate the user.
>
>
>
> Is there a proposed method to achieve this?
>
> Can I configure some reverse proxy (maybe not httpd) to proxy requests on
> the transport layer? For example, I've seen there is a way to do client
> authentication on httpd and then send client certificate details to the
> Wildfly thorugh AJP protocol, but how to map this data to the user then?
>
> Or should I somehow configure Keycloak for this?
>
> Maybe configure the proxy to be KC's client and do the authentication
> somehow?
>
>
>
> Many thanks,
>
> Nikola
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list