<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello Matthias,</div>
<div> </div>
<div>we're running Keycloak 1.8 in similar setup, and this should would. But we don't have the "env=HTTPS" condition, as we set it up the headers as part of the SSL part.</div>
<div> </div>
<div>Could you verify that the headers are sent by Apache correctly? You could try the following: instead of starting keycloak on port 8080 you could start netcat:</div>
<div> </div>
<div>nc -l 8080</div>
<div> </div>
<div>This will print the request headers of the first request to your console.</div>
<div> </div>
<div>Best regards,</div>
<div>Alexander.</div>
<div> </div>
<div class="signature">--<br/>
Alexander Schwartz (alexander.schwartz@gmx.net)<br/>
http://www.ahus1.de</div>
<div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Gesendet:</b> Freitag, 26. Februar 2016 um 14:54 Uhr<br/>
<b>Von:</b> "Matthias Müller" <matthias_mueller@tu-dresden.de><br/>
<b>An:</b> 'keycloak-user' <keycloak-user@lists.jboss.org><br/>
<b>Betreff:</b> Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly</div>
<div name="quoted-content"><!--p.MsoNormal, li.MsoNormal, div.MsoNormal {
margin: 0.0cm;
font-size: 12.0pt;
font-family: "Times New Roman" , serif;
}
a:link, span.MsoHyperlink {
color: blue;
text-decoration: underline;
}
a:visited, span.MsoHyperlinkFollowed {
color: purple;
text-decoration: underline;
}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {
margin-top: 0.0cm;
margin-right: 0.0cm;
margin-bottom: 0.0cm;
margin-left: 36.0pt;
font-size: 12.0pt;
font-family: "Times New Roman" , serif;
}
span.E-MailFormatvorlage17 {
font-family: Calibri , sans-serif;
color: rgb(31,73,125);
}
*.MsoChpDefault {
font-family: Calibri , sans-serif;
}
div.WordSection1 {
page: WordSection1;
}
ol {
margin-bottom: 0.0cm;
}
ul {
margin-bottom: 0.0cm;
}
-->
<div>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">Yes. I’ve set up an HTTPS reverse proxy in Apache as usual with and added the required header:</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">RequestHeader set X-Forwarded-Proto "https" env=HTTPS</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">Then I edited /usr/local/keycloak/standalone/configuration/standalone.xml according to these instructions.</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">From what I’ve seen there’s no difference in the responses between:</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoListParagraph" style="text-indent: -18.0pt;"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"><span>a)<span style="font: 7.0pt "Times New Roman";"> </span></span></span><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">Configuring reverse proxy in Apache only</span></p>
<p class="MsoListParagraph" style="text-indent: -18.0pt;"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"><span>b)<span style="font: 7.0pt "Times New Roman";"> </span></span></span><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">Configuring reverse proxy in Apache AND editing standalone.xml</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">In both cases the hostname is properly resolved, but not the protocol part.</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">Cheers,</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">Matthias</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);">p.s.: The documentation shows a configuration for an old release (1.1) of the undertow subsystem. Current is 3.0, which is also part of Keycloak distro. Is the configuration identical for both versions?</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt;font-family: Calibri , sans-serif;color: rgb(31,73,125);"> </span></p>
<p class="MsoNormal"><b><span style="font-size: 10.0pt;font-family: Tahoma , sans-serif;">From:</span></b><span style="font-size: 10.0pt;font-family: Tahoma , sans-serif;"> keycloak-user-bounces@lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] <b>On Behalf Of </b>Stian Thorgersen<br/>
<b>Sent:</b> Friday, February 26, 2016 1:36 PM<br/>
<b>To:</b> Matthias Müller<br/>
<b>Cc:</b> keycloak-user<br/>
<b>Subject:</b> Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly</span></p>
<p class="MsoNormal"><span> </span></p>
<div>
<p class="MsoNormal">DId you follow documentation at <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e394" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e394</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On 26 February 2016 at 12:53, Matthias Müller <<a href="Matthias_Mueller@tu-dresden.de" target="_parent">Matthias_Mueller@tu-dresden.de</a>> wrote:</p>
<p class="MsoNormal">Does anyone have experiences with Keycloak 1.9 in an Apache2 reverse<br/>
proxy configuration?<br/>
<br/>
In my test setup I am running Keycloak as a standalone service on port<br/>
8080. It is proxied behind an Apache HTTP Server that manages the SSL<br/>
communication and forwards requests to localhost:8080. The Apache side<br/>
of the proxy is working. However, the administration console web page<br/>
(auth/admin/master/console/) still contains plain <a href="http://" target="_blank">http://</a>... links<br/>
(should be: <a href="https://" target="_blank">https://</a>) to the JS components which, of course, is invalid.<br/>
Obviously the Keycloak service does not see (or ignores) the X-Forwarded<br/>
headers.<br/>
<br/>
Am I missing something here?<br/>
<br/>
Cheers,<br/>
Matthias<br/>
<br/>
[1]:<br/>
<a href="http://auth.domain.org/auth/resources/1.9.0.final/admin/keycloak/lib/select2-3.4.1/select2.js" target="_blank">http://auth.domain.org/auth/resources/1.9.0.final/admin/keycloak/lib/select2-3.4.1/select2.js</a><br/>
_______________________________________________<br/>
keycloak-user mailing list<br/>
<a href="keycloak-user@lists.jboss.org" target="_parent">keycloak-user@lists.jboss.org</a><br/>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></p>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</div>
</div>
</div>
</div></div></body></html>