<div dir="ltr">You may be missing the ProxyPeerHandler filter registration with your undertow subsystem. Below example of running keycloak behind a stock standard Apache Reverse proxy configuration with the corresponsing undertow subsystem configuration.<div><br></div><div>I never understood what that <font face="monospace, monospace" size="1">proxy-https</font> port configuration in the binding was good for (I think its a copy paste habit or legacy) using the default 8443 one has always worked for me.<br><div><br></div><div><div><font face="monospace, monospace" size="1"><subsystem xmlns="urn:jboss:domain:undertow:3.0"></font></div><div><font face="monospace, monospace" size="1"> <buffer-cache name="default"/></font></div><div><font face="monospace, monospace" size="1"> <server name="default-server"></font></div><div><font face="monospace, monospace" size="1"> <ajp-listener name="ajp-default" socket-binding="ajp" redirect-socket="<font color="#ff0000">https</font>" scheme="<font color="#ff0000">https</font>"/></font></div><div><font face="monospace, monospace" size="1"> <http-listener name="http-default" socket-binding="http" redirect-socket="https" </font><span style="font-family:monospace,monospace;font-size:x-small">proxy-address-forwarding="</span><font color="#ff0000" style="font-family:monospace,monospace;font-size:x-small">true</font><span style="font-family:monospace,monospace;font-size:x-small">"</span><span style="font-family:monospace,monospace;font-size:x-small">/></span></div><div><font face="monospace, monospace" size="1"> <host name="default-host" alias="localhost"></font></div><div><font face="monospace, monospace" size="1"> <location name="/" handler="welcome-content"/></font></div><div><font face="monospace, monospace" size="1"> <filter-ref name="server-header"/></font></div><div><font face="monospace, monospace" size="1"> <filter-ref name="x-powered-by-header"/></font></div><div><font face="monospace, monospace" size="1" color="#ff0000"> <filter-ref name="proxy-peer"/></font></div><div><font face="monospace, monospace" size="1"> <filter-ref name="request-dumper" priority="30"/></font></div><div><font face="monospace, monospace" size="1"> </host></font></div><div><font face="monospace, monospace" size="1"> </server></font></div><div><font face="monospace, monospace" size="1"> <servlet-container name="default"></font></div><div><font face="monospace, monospace" size="1"> <jsp-config/></font></div><div><font face="monospace, monospace" size="1"> <websockets/></font></div><div><font face="monospace, monospace" size="1"> </servlet-container></font></div><div><font face="monospace, monospace" size="1"> <handlers></font></div><div><font face="monospace, monospace" size="1"> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/></font></div><div><font face="monospace, monospace" size="1"> </handlers></font></div><div><font face="monospace, monospace" size="1"> <filters></font></div><div><font face="monospace, monospace" size="1"> <response-header name="server-header" header-name="Server" header-value="WildFly/10"/></font></div><div><font face="monospace, monospace" size="1"> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/></font></div><div><font face="monospace, monospace" size="1" color="#ff0000"> <filter name="proxy-peer" module="io.undertow.core" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/></font></div><div><font face="monospace, monospace" size="1"> <filter name="request-dumper" module="io.undertow.core" class-name="io.undertow.server.handlers.RequestDumpingHandler"/></font></div><div><font face="monospace, monospace" size="1"> </filters></font></div><div><font face="monospace, monospace" size="1"></subsystem></font></div></div><div><br></div><div>The socket config</div><div><br></div><div><div><font face="monospace, monospace" size="1"><socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"></font></div><div><font face="monospace, monospace" size="1"> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/></font></div><div><font face="monospace, monospace" size="1"> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/></font></div><div><font face="monospace, monospace" size="1"> <socket-binding name="<font color="#ff0000">ajp</font>" port="${jboss.ajp.port:8009}"/></font></div><div><font face="monospace, monospace" size="1"> <socket-binding name="http" port="${jboss.http.port:8080}"/></font></div><div><font face="monospace, monospace" size="1"> <socket-binding name="<font color="#ff0000">https</font>" port="${jboss.https.port:8443}"/></font></div><div><font face="monospace, monospace" size="1"> <socket-binding name="txn-recovery-environment" port="4712"/></font></div><div><font face="monospace, monospace" size="1"> <socket-binding name="txn-status-manager" port="4713"/></font></div><div><font face="monospace, monospace" size="1"> <outbound-socket-binding name="mail-smtp"></font></div><div><font face="monospace, monospace" size="1"> <remote-destination host="localhost" port="25"/></font></div><div><font face="monospace, monospace" size="1"> </outbound-socket-binding></font></div><div><font face="monospace, monospace" size="1"></socket-binding-group></font></div><div><br></div><div>And the minimalistic snippet that goes into the apache vhost config (apache 2.4)</div><div><br></div><div><div><font face="monospace, monospace" size="1"><VirtualHost *:80></font></div><div><font face="monospace, monospace" size="1"> DocumentRoot /var/www</font></div><div><font face="monospace, monospace" size="1"> ServerName <a href="http://your.server.com">your.server.com</a></font></div><div><span style="font-family:monospace,monospace;font-size:x-small"> RewriteEngine On</span><br></div><div><span style="font-family:monospace,monospace;font-size:x-small"> RewriteCond %{HTTPS} !=on</span><br></div><div><span style="font-family:monospace,monospace;font-size:x-small"> RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]</span><br></div><div><font face="monospace, monospace" size="1"> ... logging config</font></div><div><span style="font-family:monospace,monospace;font-size:x-small"></VirtualHost></span><br></div><div><font face="monospace, monospace" size="1"><br></font></div><div><font face="monospace, monospace" size="1"><VirtualHost *:443></font></div><div><font face="monospace, monospace" size="1"> DocumentRoot /var/www</font></div><div><font face="monospace, monospace" size="1"> ServerName <a href="http://your.server.com">your.server.com</a></font></div><div><span style="font-family:monospace,monospace;font-size:x-small"> ... ssl config</span><br></div><div><span style="font-family:monospace,monospace;font-size:x-small"><br></span></div><div><span style="font-family:monospace,monospace;font-size:x-small"> ProxyRequests Off</span><br></div><div><font face="monospace, monospace" size="1"> ProxyPreserveHost On</font></div><div><span style="font-family:monospace,monospace;font-size:x-small"> <Proxy *></span><br></div><div><font face="monospace, monospace" size="1"> RequestHeader set X-Forwarded-Proto "https"</font></div><div><font face="monospace, monospace" size="1"> Require all granted</font></div><div><font face="monospace, monospace" size="1"> </Proxy></font></div><div><font face="monospace, monospace" size="1"> </font></div><div><font face="monospace, monospace" size="1"> # ajp works a charm</font></div><div><span style="font-family:monospace,monospace;font-size:x-small"> ProxyPass /auth ajp://<a href="http://127.0.0.1:8009/auth">127.0.0.1:8009/auth</a></span><br></div><div><font face="monospace, monospace" size="1"> ProxyPassReverse /auth ajp://<a href="http://127.0.0.1:8009/auth">127.0.0.1:8009/auth</a></font></div><div><font face="monospace, monospace" size="1"> </font></div><div><font face="monospace, monospace" size="1"> # or hit the http port</font></div><div><div><span style="font-family:monospace,monospace;font-size:x-small"> ProxyPass /auth <a href="http://127.0.0.1:8080/auth">http://127.0.0.1:8080/auth</a></span><br></div><div><font face="monospace, monospace" size="1"> ProxyPassReverse /auth <a href="http://127.0.0.1:8080/auth">http://127.0.0.1:8080/auth</a></font></div></div><div><span style="font-family:monospace,monospace;font-size:x-small"><br></span></div><div><span style="font-family:monospace,monospace;font-size:x-small"> ... logging config</span></div><div><font face="monospace, monospace" size="1"></VirtualHost></font></div></div><div><br></div><div><br></div><div>Hope this solves your problem.</div><div><br></div><div>Cheers,</div><div>Niels</div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 22, 2016 at 7:21 AM, Derek Visch <span dir="ltr"><<a href="mailto:derek.visch@gmail.com" target="_blank">derek.visch@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Trying to setup reverse SSL for keycloak. Having issues finding documentation about this, it's mentioned in <a href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html" target="_blank">https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html</a> but the extra detail that's supposed to be in <a href="https://keycloak.gitbooks.io/server-adminstration-guide/content/" target="_blank">https://keycloak.gitbooks.io/server-adminstration-guide/content/</a> I could not find in regards to reverse SSL proxys.<div><br></div><div>Regardless I ended up following <a href="http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html</a> </div><div><br></div><div>From that previous mailling list post:<br><br></div><div><pre style="color:rgb(0,0,0)">Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.
First add proxy-address-forwarding and redirect-socket to the http-listener element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group></pre></div><div><br></div><div><br></div><div>but now when I go to log on to the admin console I get "We're sorry ... Invalid aparameter: redirect uri". </div><div><br></div><div><br></div><div><br></div><div>Tried stack overflow / google / IRC. No luck so far. </div><div><br></div><div>Any help would be appreciated :D</div><div><br></div><div>Thanks</div><div><br></div><div><br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"></div></div></div></div>
</div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>