[undertow-dev] How to configure Undertow programatically at runtime within Wildfly?

Tue Aug 9 05:04:50 EDT 2016

Hello Stuart,

thanks for your help :)

My current understanding is that I need to proxy requests that are sent to
a virtual host created
at runtime by the Keycloak deployment and Keycloak would add some
additional headers with auth information
and takes care of authentication of necessary.

Since this can be configured at runtime I don't see how I could use the
ServletExtension (which is to my knowledge
applied at start-time) to dynamically register virtual hosts with Undertow.

The workflow is as follows:

So an admin would create a new "proxied" client configuration in the
Keycloak admin console where
he would configure the name for a new virtual host and a target url.

E.g. if the keycloak servername is "sso.acme.com" a user would create
proxied client with the following configuration:
* clientid: app1
* virtual host: app1.acme.com
* target url: https://myapp1.com/app
* Header Mapping: key value pairs with header name to (dynamic) expression
mapping to inject in the proxied request
* Certificate / public / private key

The certificate is used to provide TLS for app1.acme.com - one could also
use a wildcard cert here or generate
the cert on the server on client setup.

With that in place requests sent to: https://app1.acme.com/
should be proxied to: https://myapp1.com/app/
The DNS name app1.acme.com would of course resolve to the IP of sso.acme.com
.

A purely path-based solution would be to define a proxy endpoint like
https://sso.acme.com/proxy/ which then
proxies all requests sent to https://sso.acme.com/proxy/app1 to
https://myapp1.com/app.

The servlet based approach could be done easily done with Servlets or
JAX-RS endpoints, but I still wonder how the dynamic vhost registration
could be done.

Cheers,
Thomas

2016-08-09 5:50 GMT+02:00 Stuart Douglas <sdouglas at redhat.com>:

> So does this need to proxy all requests, or just requests targeted at
> the keycloak deployment? If it is the later then you could just use
> ServletExtension to set up the ProxyHandler.
>
> Stuart
>
> On Tue, Aug 9, 2016 at 6:35 AM, Thomas Darimont
> <thomas.darimont at googlemail.com> wrote:
> > Hello list,
> >
> > I'm currently working on embedding Keycloak's currently dedicated Proxy
> > Server into Keycloak itself.
> > For this I need to be able to dynamically configure Undertow's
> ProxyHandler
> > and register VirtualHosts at runtime.
> > For reference the discussion thread on keycloak-dev ML: [1]
> >
> > Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is
> > configured via the standalone(-ha).xml.
> >
> > I could already configure a reverse-proxy and additional hosts via
> jboss-cli
> > but I wonder whether there is an API
> > that I could use to get access to the undertow infrastructure from
> within a
> > JAX-RS endpoint.
> > I could probably also use the wildfly management client API or perhaps do
> > something via JMX.
> >
> > Would be great if someone could give me a tip or an example for
> registering
> > / configuring Undertow Handler or Virtual Hosts as described above.
> >
> > Btw. I saw that Undertow ships with a
> > io.undertow.server.handlers.proxy.HostTable but I couldn't find
> > any usage of it in the Undertow codebase - did I miss something or is
> this
> > dead code?
> >
> > FYI current code of Keycloak dedicated Proxy Server (uses embedded
> undertow)
> > can be found here: [0]
> >
> > Cherrs,
> > Thomas
> > [0] https://github.com/keycloak/keycloak/tree/master/proxy
> > [1] http://lists.jboss.org/pipermail/keycloak-dev/2016-
> August/007742.html
> >
> >
> > _______________________________________________
> > undertow-dev mailing list
> > undertow-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20160809/6289223a/attachment-0001.html 