On 03/05/2016 10:55 AM, Adam Young wrote:
On 03/05/2016 07:27 AM, Bill Burke wrote:
> The only thing I can think of is that the server is binding to localhost
> and not a real IP address?
> BTW, why would you want to put Apache in front of Keycloak? Or is this
> just an application? Last time I looked at bench, undertow/wildfly
> performs and scales better than Apache HTTPD even for static content.
This is for the OpenStack undercloud. Scalability is not the issue.
Limiting the number of VMs required is the constraint. I am deploying
Keycloak on the FreeIPA (RH IdM) server which already owns ports 80/443
and has TLS setup. Keycloak has to co-exist with both the WSGI apps for
IPA management and the Java Tomcat app for Dogtag/Certificates.
I'd love it if systemd provided a means to do socket activation for Java
Apps running in JBoss. Until then, JBoss is going to be proxied behind
something that can listen on 443 as a non-privileged user. The rest of
OpenStack that runs on non-httpd Python webservers is fronted with HA
proxy. But we don't do HA proxy for the undercloud.
And turns out it is already set up if you use the ha configuration
I am using the following line to run Keycloak from systemd:
-Djboss.socket.binding.port-offset=100 -c standalone-ha.xml
Seems to work OK. I something is wrong if I do a restart, as it does
not seem to let the As copletely shut down before starting up again, but
systemctl stop and systemctl start work OK.
> On 3/4/2016 9:49 PM, Adam Young wrote:
>> Having trouble finding the right notes for setting up AJP. This is to
>> run alongside a FreeIPA server which is already set up with
>> mod_proxy_ajp talking to Tomcat, so I want to keep using the same set of
>> I can see keycloak-1.9.0.Final/standalone/configuration/standalone.xml
>> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
>> <buffer-cache name="default"/>
>> <server name="default-server">
>> <http-listener name="default"
>> <host name="default-host"
>> <location name="/"
>> <filter-ref name="server-header"/>
>> <filter-ref name="x-powered-by-header"/>
>> I'm assuming I need a line comparable to <http-listener
>> socket-binding="http" redirect-socket="https"/> But for
>> protocol. Perhaps ajp-listener?
>> A line like this, perhaps?
>> <http-listener name="default-ajp"
>> scheme="http" />
>> I see at the bottom of the file:
>> <socket-binding-group name="standard-sockets"
>> <socket-binding name="management-http"
>> <socket-binding name="management-https"
>> <socket-binding name="ajp"
>> keycloak-dev mailing list
keycloak-dev mailing list