<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">We have some docs for this here <a
class="moz-txt-link-freetext"
href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html"><a class="moz-txt-link-freetext" href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html">https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html</a></a><br>
<br>
Marek<br>
<br>
On 01/08/16 22:58, Derek Visch wrote:<br>
</div>
<blockquote
cite="mid:CADhyb+FX_FhRn2NFqux3NcEDs8YDweD1MVLq5pZKM25OJ01Uow@mail.gmail.com"
type="cite">
<div dir="ltr">Ended up figuring this out, just to save whatever
poor soul has to go down the same/similar path here's what I
did. I'm curious why I didn't get any errors when running
keycloak with debug logging turned on as this must be some kind
of host re-write problem with wildfly/keycloak. <br>
<div><br>
</div>
<div>First the only configuration I had to set in standalone.xml
was (I removed all the other custom configurations I had in
place the rest is the vanilla standalone.xml )</div>
<div><font face="monospace, monospace" size="1"><http-listener
name="http-default" socket-binding="http"
redirect-socket="https" </font><span
style="background-color:rgb(255,255,0)"><span
style="font-family:monospace,monospace;font-size:x-small">proxy-address-forwarding="</span><font
style="font-family:monospace,monospace;font-size:x-small"
color="#ff0000">true</font><span
style="font-family:monospace,monospace;font-size:x-small">"</span></span><span
style="font-family:monospace,monospace;font-size:x-small">/></span><br>
</div>
<div><span
style="font-family:monospace,monospace;font-size:x-small"><br>
</span></div>
<div><span
style="font-family:monospace,monospace;font-size:x-small">Wildfly10
Docs for this: </span><font face="monospace, monospace"
size="1"><a moz-do-not-send="true"
href="https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration">https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration</a></font></div>
<div><span
style="font-family:monospace,monospace;font-size:x-small"><br>
</span></div>
<div><font face="arial, helvetica, sans-serif">Nginx
configuration:</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">
<div>server {</div>
<div> listen 80;</div>
<div> server_name <a moz-do-not-send="true"
href="http://keycloak_testing.leveldatadevelopment.com">keycloak_testing.leveldatadevelopment.com</a>;</div>
<div> return 301 <a class="moz-txt-link-freetext" href="https://$host$request_uri">https://$host$request_uri</a>;</div>
<div>}</div>
<div><br>
</div>
<div>server {</div>
<div> listen 443 ssl;</div>
<div> server_name <a moz-do-not-send="true"
href="http://keycloak_testing.leveldatadevelopment.com">keycloak_testing.leveldatadevelopment.com</a>;</div>
<div><br>
</div>
<div> ssl_certificate
/etc/nginx/ssl/star.leveldatadevelopment.com.crt;</div>
<div> ssl_certificate_key
/etc/nginx/ssl/star.leveldatadevelopment.com.key;</div>
<div><br>
</div>
<div> location / {</div>
<div> proxy_set_header <b>Host $host</b>;</div>
<div> proxy_set_header X-Real-IP $remote_addr; #<b>Not
sure this is needed for wildfly/keycloak</b></div>
<div> proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;</div>
<div> proxy_set_header X-Forwarded-Proto $scheme;</div>
<div> proxy_redirect <a class="moz-txt-link-freetext" href="http://">http://</a> <a class="moz-txt-link-freetext" href="https://">https://</a>;</div>
<div><br>
</div>
<div> proxy_pass <a moz-do-not-send="true"
href="http://0.0.0.0:8080">http://0.0.0.0:8080</a>;</div>
<div> }</div>
<div>}</div>
<div><br>
</div>
<div><br>
</div>
<div>Note the Host different, with Host $host:$server_port;
I receive a white page when logging into the admin URL. <b>Why
would this happen</b>? Only mention of the host header I
could find in the wildFly documentation is <a
moz-do-not-send="true"
href="https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration"><a class="moz-txt-link-freetext" href="https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration">https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration</a></a></div>
<div><br>
</div>
<div><br>
</div>
<div>Also to get past the invalid_redirect_uri issue, </div>
<div><br>
</div>
<div>
<ol>
<li>Run keycloak locally</li>
<li>Go to the Clients settings in the Master Realm</li>
<li>Click edit on the security-admin-console client id
(You may also have to do this with the account client
ID I'm not certain)</li>
<li>Add valid redirect URI's for your new domain, for
example <a moz-do-not-send="true"
href="https://website.com/*">https://website.com/*</a>
(Docs tell you to be as limited as possible with these
so in production limit down your redirect URI's as
much as possible)</li>
</ol>
<div>Hope this helps someone in the future! What do you
think? Should this be added to the documentation
somewhere or should some kind of error be thrown in this
circumstance? I'm not certain if it's Wildfly or
keycloak causing this to happen I didn't dig quite hard
enough to find out :( </div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</font></div>
<div><span
style="font-family:monospace,monospace;font-size:x-small"><br>
</span></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jul 21, 2016 at 5:21 PM,
Derek Visch <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:derek.visch@gmail.com" target="_blank">derek.visch@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Trying to setup reverse SSL for keycloak.
Having issues finding documentation about this, it's
mentioned in <a moz-do-not-send="true"
href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html"
target="_blank">https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html</a>
but the extra detail that's supposed to be in <a
moz-do-not-send="true"
href="https://keycloak.gitbooks.io/server-adminstration-guide/content/"
target="_blank"><a class="moz-txt-link-freetext" href="https://keycloak.gitbooks.io/server-adminstration-guide/content/">https://keycloak.gitbooks.io/server-adminstration-guide/content/</a></a>
I could not find in regards to reverse SSL proxys.
<div><br>
</div>
<div>Regardless I ended up following <a
moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html"
target="_blank"><a class="moz-txt-link-freetext" href="http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html">http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html</a></a> </div>
<div><br>
</div>
<div>From that previous mailling list post:<br>
<br>
</div>
<div>
<pre style="color:rgb(0,0,0)">Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.
First add proxy-address-forwarding and redirect-socket to the http-listener element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group></pre>
</div>
<div><br>
</div>
<div><br>
</div>
<div>but now when I go to log on to the admin console I
get "We're sorry ... Invalid aparameter: redirect
uri". </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Tried stack overflow / google / IRC. No luck so
far. </div>
<div><br>
</div>
<div>Any help would be appreciated :D</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<p style="color:rgb(0,0,0);font-family:"times new
roman";font-size:medium"><b>Derek Visch</b> /
Software Developer / Network Technician <br>
<a moz-do-not-send="true"
href="mailto:bipema@leveldata.com" target="_blank">dvisch@leveldata.com</a> /
Direct: 269-488-2037</p>
<p style="color:rgb(0,0,0);font-family:"times new
roman";font-size:medium"><b>Level Data Inc.</b> <br>
Office: 866.511.3282 <br>
4787 Campus Dr. | Kalamazoo, MI 49008 <br>
<a moz-do-not-send="true"
href="http://www.leveldata.com/" target="_blank">http://www.leveldata.com</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>