To avoid sending all traffic through a proxy it would be better to either:
* Use round-robin DNS
* Use HTTP redirect from
http://frontend:8080 to
http://backend-node1:8080
However, neither what you propose or HTTP redirect would work with cookies. Round-robin
DNS would though and IMO that's the cleanest way to do it.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 29 September, 2014 8:38:58 AM
Subject: [keycloak-dev] Resolving of relative redirectUri in cluster
I wonder if it's ok to add possibility to WildFly/AS7 adapter for
alternative resolving of relative redirectUris. Currently it's always
retrieved from HTTP request sent by browser (ie. with relative uri
"/auth" and HTTP request is "http://localhost:8080/customer-portal"
then
adapter is able to resolve the URI to "http://localhost:8080/auth"). Is
it ok to have possibility (perhaps boolean config option on adapter like
"preserve-hostname") to resolve them from the actual hostname instead of
browser request? Usually it's not much difference, but in cluster there
might be scenario like:
- Setup with loadbalancer on "http://frontend:8080" and 2 backend
cluster nodes "http://backend-node1:8080" and
"http://backend-node2:8080"
- Then user filled login form. Now assume that request request with
code+state is processed on
"http://backend-node1:8080/customer-portal?code=...&state=..." . Now
adapter sends codeToToken exchanging request to relative URI, which is
resolved from browser to "http://frontend:8080". So adapter sends
request to loadbalancer, which is then resended back to one of backend
nodes. So 2 additional network hops needed.
So when there is possibility to resolve relative URI from hostname, then
backend-node1 will send exchanging request to itself instead of going
through loadbalancer. In cluster it should help to save performance and
reduce network communication.
Note that this will be configurable and will be used by adapters just
for backend requests (codeToToken, refresh token etc). All browser
redirects will still need to go through loadbalancer IMO, in usual
cluster environments are cluster nodes hidden in private network and URI
like "http://backend-node1:8080/auth" may not be available for users.
wdyt?
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev