Re: [keycloak-user] Does Keycloak need sticky session at the load balancer?
On Wed, Aug 22, 2018 at 10:24 PM Rafael Weingärtner <
rafaelweingartner(a)gmail.com> wrote:
Hello Keycloakers,
I have some doubts regarding Keycloak and load balancers. I set up two
keycloak replicas to provide HA. To start them I am using “./standalone.sh
--server-config=standalone-ha.xml”. I am assuming that they will use
multicast to replicate information between nodes, right?
That is correct. It uses PING protocol, which in turn uses IP Multicasting
for discovery.
Note, that IP Multicasting is disabled in many data centers (I have never
found out why they do it, but I've seen it many, many times). So make sure
your cluster forms correctly (just grep logs and look for "view").
Then, I set up a load balancer layer using Apache HTTPD and AJP
connector
via 8009 port. To make everything work I needed to use sticky session;
otherwise, the login would never happen. I am fine with the sticky session,
however, if I stop one of the replicas where the user is logged in, when
the user access Keycloak again, he/she is asked to present the credentials
as if he/she was not logged in the other Keycloak replica. Is that the
expected behavior?
My intuition tells me that your cluster didn't form correctly (as I
mentioned before, grep the logs and look for "view" generated by JGroups).
Therefore, if you enable sticky session, all your requests get to the same
Keycloak instance, which has everything in the local cache. That's why it
works fine.
Is there some troubleshooting or test that I can perform to check if
replication is being executed?
Let's start with investigating the logs. Later on we can check JMX.
--
Rafael Weingärtner
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user