Hi Alexander,
thanks a lot for the debug hint which put me on the right track. Though the
"env=HTTPS" condition was not the issue here, I could clearly see, that
“X-Forwarded-Proto” was not set in the HTTP headers. – Surely a mistake in my Apache setup
that did not properly include the statement. It is now fixed and Keycloak works as
expected.
Cheers,
Matthias
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Alexander Schwartz
Sent: Friday, February 26, 2016 9:50 PM
To: 'keycloak-user'
Subject: Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working
properly
Hello Matthias,
we're running Keycloak 1.8 in similar setup, and this should would. But we don't
have the "env=HTTPS" condition, as we set it up the headers as part of the SSL
part.
Could you verify that the headers are sent by Apache correctly? You could try the
following: instead of starting keycloak on port 8080 you could start netcat:
nc -l 8080
This will print the request headers of the first request to your console.
Best regards,
Alexander.
--
Alexander Schwartz (alexander.schwartz(a)gmx.net)
http://www.ahus1.de
Gesendet: Freitag, 26. Februar 2016 um 14:54 Uhr
Von: "Matthias Müller" <matthias_mueller(a)tu-dresden.de>
An: 'keycloak-user' <keycloak-user(a)lists.jboss.org>
Betreff: Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working
properly
Yes. I’ve set up an HTTPS reverse proxy in Apache as usual with and added the required
header:
RequestHeader set X-Forwarded-Proto "https" env=HTTPS
Then I edited /usr/local/keycloak/standalone/configuration/standalone.xml according to
these instructions.
From what I’ve seen there’s no difference in the responses between:
a) Configuring reverse proxy in Apache only
b) Configuring reverse proxy in Apache AND editing standalone.xml
In both cases the hostname is properly resolved, but not the protocol part.
Cheers,
Matthias
p.s.: The documentation shows a configuration for an old release (1.1) of the undertow
subsystem. Current is 3.0, which is also part of Keycloak distro. Is the configuration
identical for both versions?
From: <mailto:keycloak-user-bounces@lists.jboss.org>
keycloak-user-bounces(a)lists.jboss.org [
<mailto:keycloak-user-bounces@lists.jboss.org>
mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Stian Thorgersen
Sent: Friday, February 26, 2016 1:36 PM
To: Matthias Müller
Cc: keycloak-user
Subject: Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working
properly
DId you follow documentation at
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
On 26 February 2016 at 12:53, Matthias Müller <Matthias_Mueller(a)tu-dresden.de>
wrote:
Does anyone have experiences with Keycloak 1.9 in an Apache2 reverse
proxy configuration?
In my test setup I am running Keycloak as a standalone service on port
8080. It is proxied behind an Apache HTTP Server that manages the SSL
communication and forwards requests to localhost:8080. The Apache side
of the proxy is working. However, the administration console web page
(auth/admin/master/console/) still contains plain http://... links
(should be: https://) to the JS components which, of course, is invalid.
Obviously the Keycloak service does not see (or ignores) the X-Forwarded
headers.
Am I missing something here?
Cheers,
Matthias
[1]:
http://auth.domain.org/auth/resources/1.9.0.final/admin/keycloak/lib/sele...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________ keycloak-user mailing list
<mailto:keycloak-user@lists.jboss.org> keycloak-user(a)lists.jboss.org
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>
https://lists.jboss.org/mailman/listinfo/keycloak-user