I've updated the documentation. One more thing you should enable is the confidential
transport-guarantee for Keycloak to make sure all http traffic is redirected to https. To
make sure it redirects to the correct port you also need to specify redirect-socket.
I've included the added documentation below so you don't have to build this from
source.
Added Documentation:
3.3.4.2. Enable SSL on a Reverse Proxy
Follow the documentation for your web server to enable SSL and configure reverse proxy for
Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and
X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable
proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy
doesn't use port 8443 for SSL you also need to configure what port http traffic is
redirected to. This is done by editing standalone/configuration/standalone.xml.
First add proxy-address-forwarding and redirect-socket to the http-listener element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group>
Check the WildFly documentation
[
From: "Josh" <smysnk(a)gmail.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Tuesday, 17 June, 2014 6:19:10 PM
Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse proxies
Excellent, just tested it out and it is working as expected.
I also had to add 'RequestHeader set X-Forwarded-Proto "https"' to my
Apache virtualhost configuration.
Some documentation somewhere that this is required would be useful for the
next guy.
Thanks,
Josh
On Tue, Jun 17, 2014 at 4:58 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
> This is quite likely an issue with either Apache or WildFly not being
> configured correctly.
>
> Have you enabled proxy-address-forwarding in WildFly/Undertow (see
>
https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+conf...
> for more info)?
>
> ----- Original Message -----
> > From: "Josh" <smysnk(a)gmail.com>
> > To: "Stian Thorgersen" <stian(a)redhat.com>
> > Cc: keycloak-user(a)lists.jboss.org
> > Sent: Monday, 16 June, 2014 4:42:27 PM
> > Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse
> proxies
> >
> > The first would be at the "Welcome to Keycloak" page, clicking on
> > Administration Console. The link itself is not redirecting to http, but
> as
> > part of the login page it looks like it forwards back to http. (eg.
> >
https://auth.psidox.com/auth/ ->
https://auth.psidox.com/auth/admin/ ->
> >
http://auth.psidox.com/auth/admin/master/console ->
> >
>
http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security...
> > )
> >
> > I haven't really gotten too far beyond the login page.
> >
> > - Josh
> >
> >
> > On Mon, Jun 16, 2014 at 3:33 AM, Stian Thorgersen <stian(a)redhat.com>
> wrote:
> >
> > > When does it forward the browser from https to http?
> > >
> > > As Bill pointed out, does auth-server-url in your keycloak.json point
> to
> > > your proxy with https?
> > >
> > > What adapter are you using?
> > >
> > > ----- Original Message -----
> > > > From: "Josh" <smysnk(a)gmail.com>
> > > > To: keycloak-user(a)lists.jboss.org
> > > > Sent: Friday, 13 June, 2014 8:41:32 AM
> > > > Subject: [keycloak-user] Significant SSL issue: Support for reverse
> > > proxies
> > > >
> > > > Hi guys,
> > > >
> > > > So looking to help solve this issue possibly or at least get it on
> the
> > > radar,
> > > > I've reported it here:
https://issues.jboss.org/browse/KEYCLOAK-497
> > > >
> > > > To breifly recap the issue, when logging in via reverse proxy it
> keeps
> > > > forwarding the browser from https back to regular http.
> > > >
> > > > Eg. Apache virtualhost configured as:
> > > >
> > > > <VirtualHost *:443>
> > > > ServerName
auth.domain.com
> > > > SSLEngine On
> > > >
> > > > <Proxy *>
> > > > Order deny,allow
> > > > Allow from all
> > > > </Proxy>
> > > >
> > > > ProxyVia Off
> > > > ProxyPreserveHost On
> > > > ProxyRequests Off
> > > >
> > > > ProxyPass /
http://keycloak.core.docker:8080/
> > > > ProxyPassReverse /
http://keycloak.core.docker:8080/
> > > >
> > > >
> > > > </VirtualHost>
> > > >
> > > > If I were to start looking into the code base, where would I start?
> > > Trying to
> > > > find for example during the login process how the forward url is
> formed?
> > > >
> > > > Thanks,
> > > >
> > > > Josh
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>