8:08 a.m.
Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also
preserving the preserving the original Host header?
On 22 October 2016 at 13:19, Vincent Sourin <sourin-v(a)bridgestone-bae.com>
wrote:
Hello,
I've got a strange behavior with Keycloak instance (version 2.2.1 Final)
behind an Apache Reverse Proxy (with Mod_cluster).
First of all, here is my test environment : https://postimg.org/image/
z7xrb08ev/
I think it's worth mention that :
* Wildfly & keycloak are installed on the same servers but each in
separate instances (not using overlay deployment)
* mod_cluster is configured in http mode (not ajp) with
mod_proxy_wstunnel activated because I use Websocket with wildfly
So, in this configuration, applications deployed on wildfly instances work
well but I got some problem with Keycloak.
Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as
soon as I click on the link < Aministration Console > (resolved normally to
https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to
plain http connection and so the request failed.
If I browse directly to https://XXXXXXX/auth/admin/ my browser complains
about < some insecured items on the page > and I can't reach the console
neither.
Here a a snippet of my keycloak configuration :
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<server name="default-server">
<http-listener name="default"
proxy-address-forwarding="true"
socket-binding="http" redirect-socket="proxy-https"/>
<https-listener name="https"
enabled-protocols="TLSv1.2" security-realm="UndertowRealm"
socket-binding="https"/>
[...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster"
connector="default">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
<socket-binding-group name="ha-sockets"
default-interface="public">
[...]
<socket-binding name="proxy-https" port="443"/>
[...]
</socket-binding-group>
</socket-binding-groups>
Can someone tell me what I'm doing wrong or give me the right direction to
further investigate this behavior ?
Thanks for your help.
Vincent.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user