<div dir="ltr">Hello Stuart,<div><br></div><div>thanks for your help :)</div><div><br></div><div>My current understanding is that I need to proxy requests that are sent to a virtual host created </div><div>at runtime by the Keycloak deployment and Keycloak would add some additional headers with auth information</div><div>and takes care of authentication of necessary.</div><div><br></div><div>Since this can be configured at runtime I don't see how I could use the ServletExtension (which is to my knowledge </div><div>applied at start-time) to dynamically register virtual hosts with Undertow.</div><div><br></div><div>The workflow is as follows:</div><div><br></div><div>So an admin would create a new "proxied" client configuration in the Keycloak admin console where </div><div>he would configure the name for a new virtual host and a target url.</div><div><br></div><div>E.g. if the keycloak servername is "<a href="http://sso.acme.com">sso.acme.com</a>" a user would create proxied client with the following configuration:</div><div>* clientid: app1</div><div>* virtual host: <a href="http://app1.acme.com">app1.acme.com</a></div><div>* target url: <a href="https://myapp1.com/app">https://myapp1.com/app</a></div><div>* Header Mapping: key value pairs with header name to (dynamic) expression mapping to inject in the proxied request</div><div>* Certificate / public / private key</div><div><br></div><div><div>The certificate is used to provide TLS for <a href="http://app1.acme.com">app1.acme.com</a> - one could also use a wildcard cert here or generate </div><div>the cert on the server on client setup.</div></div><div><br></div><div>With that in place requests sent to: <a href="https://app1.acme.com/">https://app1.acme.com/</a> </div><div>should be proxied to: <a href="https://myapp1.com/app/">https://myapp1.com/app/</a></div><div>The DNS name <a href="http://app1.acme.com">app1.acme.com</a> would of course resolve to the IP of <a href="http://sso.acme.com">sso.acme.com</a>.</div><div><br></div><div>A purely path-based solution would be to define a proxy endpoint like <a href="https://sso.acme.com/proxy/">https://sso.acme.com/proxy/</a> which then </div><div>proxies all requests sent to <a href="https://sso.acme.com/proxy/app1">https://sso.acme.com/proxy/app1</a> to <a href="https://myapp1.com/app">https://myapp1.com/app</a>.</div><div><br></div><div>The servlet based approach could be done easily done with Servlets or JAX-RS endpoints, but I still wonder how the dynamic vhost registration could be done.</div><div><br></div><div>Cheers,</div><div>Thomas</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-08-09 5:50 GMT+02:00 Stuart Douglas <span dir="ltr"><<a href="mailto:sdouglas@redhat.com" target="_blank">sdouglas@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So does this need to proxy all requests, or just requests targeted at<br>
the keycloak deployment? If it is the later then you could just use<br>
ServletExtension to set up the ProxyHandler.<br>
<br>
Stuart<br>
<div><div class="h5"><br>
On Tue, Aug 9, 2016 at 6:35 AM, Thomas Darimont<br>
<<a href="mailto:thomas.darimont@googlemail.com">thomas.darimont@googlemail.<wbr>com</a>> wrote:<br>
> Hello list,<br>
><br>
> I'm currently working on embedding Keycloak's currently dedicated Proxy<br>
> Server into Keycloak itself.<br>
> For this I need to be able to dynamically configure Undertow's ProxyHandler<br>
> and register VirtualHosts at runtime.<br>
> For reference the discussion thread on keycloak-dev ML: [1]<br>
><br>
> Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is<br>
> configured via the standalone(-ha).xml.<br>
><br>
> I could already configure a reverse-proxy and additional hosts via jboss-cli<br>
> but I wonder whether there is an API<br>
> that I could use to get access to the undertow infrastructure from within a<br>
> JAX-RS endpoint.<br>
> I could probably also use the wildfly management client API or perhaps do<br>
> something via JMX.<br>
><br>
> Would be great if someone could give me a tip or an example for registering<br>
> / configuring Undertow Handler or Virtual Hosts as described above.<br>
><br>
> Btw. I saw that Undertow ships with a<br>
> io.undertow.server.handlers.<wbr>proxy.HostTable but I couldn't find<br>
> any usage of it in the Undertow codebase - did I miss something or is this<br>
> dead code?<br>
><br>
> FYI current code of Keycloak dedicated Proxy Server (uses embedded undertow)<br>
> can be found here: [0]<br>
><br>
> Cherrs,<br>
> Thomas<br>
> [0] <a href="https://github.com/keycloak/keycloak/tree/master/proxy" rel="noreferrer" target="_blank">https://github.com/keycloak/<wbr>keycloak/tree/master/proxy</a><br>
> [1] <a href="http://lists.jboss.org/pipermail/keycloak-dev/2016-August/007742.html" rel="noreferrer" target="_blank">http://lists.jboss.org/<wbr>pipermail/keycloak-dev/2016-<wbr>August/007742.html</a><br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> undertow-dev mailing list<br>
> <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/undertow-dev</a><br>
</blockquote></div><br></div>