<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Sprechblasentext Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.E-MailFormatvorlage18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.SprechblasentextZchn
{mso-style-name:"Sprechblasentext Zchn";
mso-style-priority:99;
mso-style-link:Sprechblasentext;
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Alexander,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>thanks a lot for the debug hint which put me on the right track. Though the "env=HTTPS" condition was not the issue here, I could clearly see, that “X-Forwarded-Proto” was not set in the HTTP headers. – Surely a mistake in my Apache setup that did not properly include the statement. It is now fixed and Keycloak works as expected.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Cheers,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Matthias<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> keycloak-user-bounces@lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] <b>On Behalf Of </b>Alexander Schwartz<br><b>Sent:</b> Friday, February 26, 2016 9:50 PM<br><b>To:</b> 'keycloak-user'<br><b>Subject:</b> Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>Hello Matthias,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>we're running Keycloak 1.8 in similar setup, and this should would. But we don't have the "env=HTTPS" condition, as we set it up the headers as part of the SSL part.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>Could you verify that the headers are sent by Apache correctly? You could try the following: instead of starting keycloak on port 8080 you could start netcat:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>nc -l 8080<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>This will print the request headers of the first request to your console.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>Best regards,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>Alexander.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>--<br>Alexander Schwartz (<a href="mailto:alexander.schwartz@gmx.net">alexander.schwartz@gmx.net</a>)<br><a href="http://www.ahus1.de">http://www.ahus1.de</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p><div style='border:none;border-left:solid #C3D9E5 1.5pt;padding:0cm 0cm 0cm 8.0pt;margin-left:7.5pt;margin-top:7.5pt;margin-right:3.75pt;margin-bottom:3.75pt;word-wrap: break-word;-webkit-nbsp-mode: space;-webkit-line-break: after-white-space' name=quote><div style='margin-bottom:7.5pt'><p class=MsoNormal><b><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>Gesendet:</span></b><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> Freitag, 26. Februar 2016 um 14:54 Uhr<br><b>Von:</b> "Matthias Müller" <<a href="mailto:matthias_mueller@tu-dresden.de">matthias_mueller@tu-dresden.de</a>><br><b>An:</b> 'keycloak-user' <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br><b>Betreff:</b> Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly<o:p></o:p></span></p></div><div name=quoted-content><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Yes. I’ve set up an HTTPS reverse proxy in Apache as usual with and added the required header:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>RequestHeader set X-Forwarded-Proto "https" env=HTTPS</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Then I edited /usr/local/keycloak/standalone/configuration/standalone.xml according to these instructions.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>From what I’ve seen there’s no difference in the responses between:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>a)</span><span style='font-size:7.0pt;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Configuring reverse proxy in Apache only</span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>b)</span><span style='font-size:7.0pt;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Configuring reverse proxy in Apache AND editing standalone.xml</span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In both cases the hostname is properly resolved, but not the protocol part.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Cheers,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Matthias</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>p.s.: The documentation shows a configuration for an old release (1.1) of the undertow subsystem. Current is 3.0, which is also part of Keycloak distro. Is the configuration identical for both versions?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a href="mailto:keycloak-user-bounces@lists.jboss.org"><span lang=EN-US>keycloak-user-bounces@lists.jboss.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> [</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a href="mailto:keycloak-user-bounces@lists.jboss.org"><span lang=EN-US>mailto:keycloak-user-bounces@lists.jboss.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>] <b>On Behalf Of </b>Stian Thorgersen<br><b>Sent:</b> Friday, February 26, 2016 1:36 PM<br><b>To:</b> Matthias Müller<br><b>Cc:</b> keycloak-user<br><b>Subject:</b> Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>DId you follow documentation at <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e394" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e394</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 26 February 2016 at 12:53, Matthias Müller <<a href="Matthias_Mueller@tu-dresden.de" target="_parent">Matthias_Mueller@tu-dresden.de</a>> wrote:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Does anyone have experiences with Keycloak 1.9 in an Apache2 reverse<br>proxy configuration?<br><br>In my test setup I am running Keycloak as a standalone service on port<br>8080. It is proxied behind an Apache HTTP Server that manages the SSL<br>communication and forwards requests to localhost:8080. The Apache side<br>of the proxy is working. However, the administration console web page<br>(auth/admin/master/console/) still contains plain <a href="http://" target="_blank">http://</a>... links<br>(should be: <a href="https://" target="_blank">https://</a>) to the JS components which, of course, is invalid.<br>Obviously the Keycloak service does not see (or ignores) the X-Forwarded<br>headers.<br><br>Am I missing something here?<br><br>Cheers,<br>Matthias<br><br>[1]:<br><a href="http://auth.domain.org/auth/resources/1.9.0.final/admin/keycloak/lib/select2-3.4.1/select2.js" target="_blank">http://auth.domain.org/auth/resources/1.9.0.final/admin/keycloak/lib/select2-3.4.1/select2.js</a><br>_______________________________________________<br>keycloak-user mailing list<br><a href="keycloak-user@lists.jboss.org" target="_parent">keycloak-user@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>_______________________________________________ keycloak-user mailing list </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><a href="mailto:keycloak-user@lists.jboss.org"><span lang=EN-US>keycloak-user@lists.jboss.org</span></a></span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank"><span lang=EN-US>https://lists.jboss.org/mailman/listinfo/keycloak-user</span></a></span><span lang=EN-US style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p></div></div></div></div></div></div></div></body></html>