[keycloak-user] Running Keycloak behind Apache Reverse Proxy

Vikram vikram.eswar at fleetroute.com
Mon Feb 25 09:39:31 EST 2019 

correction :

I changed this :

ProxyPass "/xyz" "http://<internal ip address>:<internal port>/"
ProxyPassReverse "/xyz" "http://<internal ip address>:<internal port>/"
to :
ProxyPass "/auth" "http://<internal ip address>:<internal port>/auth"
ProxyPassReverse "/auth" "http://<internal ip address>:<internal port>/auth"

--Vikram

On 2/25/2019 12:47 PM, Vikram wrote:
> Hi Peter,
>
> Thanks a lot again !
>
> it works now. However, there was only one change that did the trick..
>
> I changed this :
>
> ProxyPass "/xyz" "http://<internal ip address>:<internal port>/"
> ProxyPassReverse "/xyz" "http://<internal ip address>:<internal port>/"
> to :
> ProxyPass "/xyz" "http://<internal ip address>:<internal port>/auth"
> ProxyPassReverse "/xyz" "http://<internal ip address>:<internal port>/auth"
>
> I did not have "auth" at the end of the url in the reverse proxy settings. Instead, I had it in my keycloak.json file as 'https://example.com/xyz/auth'. I am not sure but I think keycloak redirects any request going to http://<internal ip address>:<internal port>/ to http://<internal ip address>:<internal port>/auth automatically.. or maybe not. I would appreciate a clarification on this if possible.
>
> Nevertheless, thanks a lot for your time !
>
> Regards,
> Vikram
>
>
> On 2/22/2019 5:50 PM, Nalyvayko, Peter wrote:
>
>> Vikram,
>>
>> Make sure your KC instance is internally accessible. I am posting the examples of apache virtual host and the the portion of KC configuration relevant to reverse proxy, where <internal ip address>:<internal port> is the IP address and port respectively your keycloak server is listening on.
>>
>> === <Apache>.conf ===
>>
>> <IfModule mod_ssl.c>
>> <VirtualHost *:443>
>> ...
>>           ProxyPreserveHost On
>>           ProxyRequests Off
>>           RequestHeader add "X-forwarded-proto" "https"
>>
>>           RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s"
>>
>>           ProxyPass "/auth" "http://<internal ip address>:<internal port>/auth"
>>           ProxyPassReverse "/auth" "http://<internal ip address>:<internal port>/auth"
>> ...
>> </VirtualHost>
>> </IfModule>
>>
>> ==== standalone.xml ====
>>
>>    <subsystem xmlns="urn:jboss:domain:undertow:7.0">
>>               <buffer-cache name="default"/>
>>               <server name="default-server">
>>                   <http-listener name="default" socket-binding="http" redirect-socket="https-proxy" proxy-address-forwarding="true" enable-http2="true"/>
>>                   <https-listener name="https" socket-binding="https" security-realm="<security realm>" enable-http2="true"/>
>>    .....
>>               </server>
>> .....
>>
>> Hope this helps
>> Cheers,
>> --Peter
>> _____________________________________
>> From: Vikram [vikram.eswar at fleetroute.com]
>> Sent: Friday, February 22, 2019 6:33 AM
>> To: Nalyvayko, Peter; keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Running Keycloak behind Apache Reverse Proxy
>>
>> Hi Peter,
>>
>> thanks a lot for your reply.
>>
>> I have followed this link already with no luck.
>>
>> I have set X-forwarded headers in my default-ssl.conf file as :
>>
>> RequestHeader set X-Forwarded-Proto "https" env=HTTPS
>>
>> RequestHeader set X-Forwarded-Port "443"
>>
>> RemoteIPHeader X-Forwarded-For
>>
>> Should I also set RemoteIPTrustedProxy and RemoteIPInternalProxy to 127.0.0.1 ?  because everything is running in the same machine ? or should I add all of this in the security.conf file ?
>>
>> Where am I going wrong ?
>>
>> I am not getting a json response when I test the configuration using /auth/realms/master/.well-known/openid-configuration..
>>
>> Regards,
>>
>> Vikram
>>
>>
>>
>> On 2/21/2019 10:13 PM, Nalyvayko, Peter wrote:
>>
>> Here is a link to a more recent docs:
>>
>> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
>> ________________________________________
>> From: Nalyvayko, Peter
>> Sent: Thursday, February 21, 2019 4:11 PM
>> To: Vikram; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy
>>
>> Vikram,
>>
>>
>>
>>
>> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider
>>
>>
>>
>> The instructions above only apply if you are trying to set up mutual SSL.
>>
>> Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make
>>
>> Hope this helps
>> Regards
>> --Peter
>>
>> ________________________________________
>> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Vikram [vikram.eswar at fleetroute.com<mailto:vikram.eswar at fleetroute.com>]
>> Sent: Thursday, February 21, 2019 11:40 AM
>> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy
>>
>> Hi all,
>>
>> OS: Ubuntu 18.04
>>
>> I am running an https secured apache server as a reverse proxy. Lets say
>> at https://example.com
>>
>> Now, I have a keycloak server running on the same machine, lets say at
>> http://localhost:1234 (note: HTTP)
>>
>> I have set it up such that https://example.com/keycloak points to
>> http://localhost:1234
>>
>> Now, I have a javascript application which is trying to authenticate
>> with Keycloak using a javascript adapter. In the keycloak.json
>> configuration file, I have the url set up as :
>>
>> url : 'https://example.com/keycloak/auth|'|
>>
>> This does not work. In order to access keycloak for authentication from
>> the outside world, I need this to connect.
>>
>> Anything on this ?
>>
>> I have already looked at this link :
>>
>> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider
>>
>>
>> I have tried setting the certificate lookup but I am not sure if I am
>> doing it right. I set it within the virtualhost block in the
>> default-ssl.conf file through RequestHeader.
>>
>> Regards,
>>
>> Vikram
>>
>>
>> ||
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list