<div dir="ltr">Marko, Thanks for your feedback! <div><br></div><div>We have successfully pass that problem and are able to login to KEYCLOAK behind NGINX using HTTPS Proxy. Our challenge now is when our applications attempt to access we get the following error:<div><div><ol class="outline-disclosure" style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol class="children expanded" style="font-family:&#39;Lucida Grande&#39;,sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Request URL:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="https://sso2.company.com/auth/realms/master/tokens/access/codes">https://sso2.company.com/auth/realms/master/tokens/access/codes</a></div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Request Method:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">POST</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><b><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;vertical-align:top;white-space:pre-wrap">Status Code:</div><label class="resource-status-image" style="min-width:0px;min-height:0px;margin-right:3px"><div class="red-ball" style="min-width:0px;min-height:0px;width:10px;height:10px;margin-right:2px;display:inline-block;background-image:url(&quot;Images/toolbarButtonGlyphs_2x.png&quot;);background-position:-224px -96px"></div></label><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">400 Bad Request</div></b></li><li class="" style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Remote Address:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://99.99.99.99:443">99.99.99.99:443</a></div></li></ol><li class="parent expanded" style="font-family:&#39;Lucida Grande&#39;,sans-serif;font-size:12px;min-width:0px;min-height:0px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;font-weight:bold;color:rgb(97,97,97);height:20px;border-top-style:solid;border-top-width:1px;border-top-color:rgb(224,224,224);display:flex">Response Headers<span class="header-toggle" style="min-width:0px;min-height:0px;display:inline;margin-left:30px;font-weight:normal;color:rgb(115,115,115)">view source</span></li><ol class="children expanded" style="font-family:&#39;Lucida Grande&#39;,sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Connection:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">keep-alive</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Content-Type:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">application/json</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Date:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Thu, 14 Jan 2016 14:35:52 GMT</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Server:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">nginx/1.4.6 (Ubuntu)</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Transfer-Encoding:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">chunked</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">X-Powered-By:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Undertow/1</div></li></ol><li class="parent expanded" style="font-family:&#39;Lucida Grande&#39;,sans-serif;font-size:12px;min-width:0px;min-height:0px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;font-weight:bold;color:rgb(97,97,97);height:20px;border-top-style:solid;border-top-width:1px;border-top-color:rgb(224,224,224);display:flex">Request Headers<span class="header-toggle" style="min-width:0px;min-height:0px;display:inline;margin-left:30px;font-weight:normal;color:rgb(115,115,115)">view source</span></li><ol class="children expanded" style="font-family:&#39;Lucida Grande&#39;,sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Accept:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">*/*</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Accept-Encoding:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">gzip, deflate</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Accept-Language:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">en-US,en;q=0.8</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Authorization:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Connection:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">keep-alive</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Content-Length:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">172</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Content-type:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">application/x-www-form-urlencoded</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Cookie:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">DNT:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">1</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Host:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://sso2.company.com">sso2.company.com</a></div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Origin:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://app.local.company.com">http://app.local.company.com</a></div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Referer:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://app.local.company.com/App/">http://app.local.company.com/App/</a></div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">User-Agent:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36</div></li></ol><li class="parent expanded" style="font-family:&#39;Lucida Grande&#39;,sans-serif;font-size:12px;min-width:0px;min-height:0px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;font-weight:bold;color:rgb(97,97,97);height:20px;border-top-style:solid;border-top-width:1px;border-top-color:rgb(224,224,224);display:flex">Form Data<span class="header-toggle" style="min-width:0px;min-height:0px;display:inline;margin-left:30px;font-weight:normal;color:rgb(115,115,115)">view source</span><span class="header-toggle" style="min-width:0px;min-height:0px;display:inline;margin-left:30px;font-weight:normal;color:rgb(115,115,115)">view URL encoded</span></li><ol class="children expanded" style="font-family:&#39;Lucida Grande&#39;,sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">code:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div class="header-name" style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">redirect_uri:</div><div class="header-value source-code" style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://mpower.accomplish.local.medicalpayreview.com/Accomplish/">http://a</a><a href="http://pp.local.company.com/App/">pp.local.company.com/App/</a></div></li></ol></ol><div><font color="#303942" face="Lucida Grande, sans-serif"><span style="font-size:12px;line-height:normal;white-space:nowrap">Please do note that this same application is able KEYCLOAK using basically the same configuration without NGINX in the MIX. Have any thoughts was to what we should look to configure differently with NGIX in the mix? </span></font></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj &lt;<a href="mailto:mstrukel@redhat.com">mstrukel@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The error &#39;<span style="font-size:12.8px">org.apache.http.conn.</span><span style="font-size:12.8px">HttpHostConnectException: Connection to </span><a href="https://sso2.domain.com/" style="font-size:12.8px" target="_blank">https://sso2.domain.com</a><span style="font-size:12.8px"> refused&#39; means that either there is a server side problem - your Nginx isn&#39;t started and listening on port 443, a firewall preventing incoming connections - or there is a client side problem - a DNS issue improperly resolving <a href="http://sso2.domain.com" target="_blank">sso2.domain.com</a> into IP on the host where Tomcat is running.</span><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">At this point no SSL handshaking was attempted yet.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If you try &#39;curl <a href="https://sso2.domain.com" target="_blank">https://sso2.domain.com</a>&#39; or &#39;telnet <a href="http://sso2.domain.com" target="_blank">sso2.domain.com</a> 443&#39; from the server running your Tomcat you&#39;ll see the same issue. Once that starts to work, only then will any SSL / proxying related configuration issues start to manifest themselves.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote"></div></div><div class="gmail_extra"><div class="gmail_quote">On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace <span dir="ltr">&lt;<a href="mailto:cjwallac@gmail.com" target="_blank">cjwallac@gmail.com</a>&gt;</span> wrote:<br></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Community, I have spent a decent amount of time attempting to get KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It does work without the proxy, but I need the proxy to handle certificates. I think I am pretty close to having it working, but somethings seems to be missing... I have done the following. I appreciate any insight you may have as I think I have exhausted other resources. <div><b><br></b></div><div><b>1. Configure a server in NGINX</b></div><div>







<p><span>server {</span></p><p>listen   443;</p>
<p><span></span><br></p>
<p><span>ssl    on;</span></p>
<p><span>ssl_certificate    /etc/ssl/certs/dcf30de94f28f16f.crt;</span></p>
<p><span>ssl_certificate_key    /etc/ssl/certs/*.domain.key;</span></p>
<p><span></span><br></p>
<p><span>server_name sso2. <a href="http://domain.com" target="_blank">domain.com</a>;</span></p>
<p><span>access_log /var/log/nginx/nginx.sso.access.log;</span></p>
<p><span>error_log /var/log/nginx/nginx.sso.error.log;</span></p>
<p><span>  location / {</span></p>
<p><span>        proxy_set_header Host $host;</span></p>
<p><span>        proxy_set_header X-Real-IP $remote_addr;</span></p>
<p><span>        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</span></p>
<p><span>        proxy_set_header X-Forwarded-Proto $scheme;</span></p>
<p><span>        proxy_set_header X-Forwarded-Port 443;</span></p>
<p><span>        proxy_pass <a href="http://internalip:8080" target="_blank">http://internalip:8080</a>;</span></p>
<p><span>    }</span></p>
<p><span>}</span></p><p><b>2. Enable SSL on a Reverse Proxy</b></p><p><a style="color:rgb(51,51,51);font-family:&#39;Lucida Grande&#39;,Geneva,Verdana,Arial,sans-serif;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:18px;text-align:justify;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">First add <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">proxy-address-forwarding</code> and <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">redirect-socket</code> to the <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">http-listener</code> element:</a></p><p></p><p><a style="color:rgb(51,51,51);font-family:&#39;Lucida Grande&#39;,Geneva,Verdana,Arial,sans-serif;font-size:12px;line-height:18px;text-align:justify"></a></p><pre style="font-size:0.9em;font-family:courrier,monospace;display:block;color:rgb(51,51,51);overflow:auto;padding:5px 15px 5px 25px;border:1px solid rgb(204,204,204);background-color:rgb(245,245,245)">&lt;subsystem xmlns=&quot;urn:jboss:domain:undertow:1.1&quot;&gt;
    ...
    &lt;http-listener name=&quot;default&quot; socket-binding=&quot;http&quot; proxy-address-forwarding=&quot;true&quot; redirect-socket=&quot;proxy-https&quot;/&gt;
    ...
&lt;/subsystem&gt;</pre><p>Then add a new <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">socket-binding</code> element to the <code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap">socket-binding-group</code> element:</p><p><a style="color:rgb(51,51,51);font-family:&#39;Lucida Grande&#39;,Geneva,Verdana,Arial,sans-serif;font-size:12px;line-height:18px;text-align:justify"></a></p><pre style="font-size:0.9em;font-family:courrier,monospace;display:block;color:rgb(51,51,51);overflow:auto;padding:5px 15px 5px 25px;border:1px solid rgb(204,204,204);background-color:rgb(245,245,245)">&lt;socket-binding-group name=&quot;standard-sockets&quot; default-interface=&quot;public&quot; port-offset=&quot;${jboss.socket.binding.port-offset:0}&quot;&gt;
    ...
    &lt;socket-binding name=&quot;proxy-https&quot; port=&quot;443&quot;/&gt;
    ...
&lt;/socket-binding-group&gt;</pre><p><b><br></b></p><p><b>RECIVE THE FOLLOWING ERROR in TOMCAT:</b></p><p><span>1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - failed to turn code into token </span></p><p><span>org.apache.http.conn.HttpHostConnectException: Connection to <a href="https://sso2.domain.com" target="_blank">https://sso2.domain.com</a> refused</span></p><p><span><span>        </span>at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span>        </span>at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span>        </span>at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span>        </span>at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span>        </span>at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span>        </span>at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span>        </span>at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) [lib/:na]</span></p><p><span><span>        </span>at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]</span></p><p><span><span>        </span>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) [lib/:na]</span></p><p><span><span>        </span>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [lib/:na]</span></p><p><span><span>        </span>at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) [lib/:na]</span></p><p><span><span>        </span>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [lib/:na]</span></p><p><span><span>        </span>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) [lib/:na]</span></p><p><span><span>        </span>at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span>        </span>at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span>        </span>at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span>        </span>at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span>        </span>at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) [tomcat-coyote.jar:8.0.18]</span></p><p><span><span>        </span>at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_25]</span></p><p><span><span>        </span>at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_25]</span></p><p><span><span>        </span>at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.18]</span></p><p><span><span>        </span>at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]</span></p><p><span>Caused by: java.net.ConnectException: Connection timed out</span></p><p><span><span>        </span>at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25]</span></p><p><span><span>        </span>at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) ~[na:1.8.0_25]</span></p><p><span><span>        </span>at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_25]</span></p><p><span><span>        </span>at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_25]</span></p><p><span><span>        </span>at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_25]</span></p><p><span><span>        </span>at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]</span></p><p><span><span>        </span>at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) ~[na:1.8.0_25]</span></p><p><span><span>        </span>at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p><span><span>        </span>at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) ~[httpclient-4.2.1.jar:4.2.1]</span></p><p>

















































</p><p><span><span>        </span>... 29 common frames omitted</span></p></div></div>
<br></blockquote></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div>