You may be missing the ProxyPeerHandler filter registration with your
undertow subsystem. Below example of running keycloak behind a stock
standard Apache Reverse proxy configuration with the corresponsing undertow
subsystem configuration.
I never understood what that proxy-https port configuration in the binding
was good for (I think its a copy paste habit or legacy) using the default
8443 one has always worked for me.
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp-default" socket-binding="ajp"
redirect-socket="https" scheme="https"/>
<http-listener name="http-default" socket-binding="http"
redirect-socket="https" proxy-address-forwarding="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="request-dumper" priority="30"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
<filter name="proxy-peer" module="io.undertow.core"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
<filter name="request-dumper" module="io.undertow.core"
class-name="io.undertow.server.handlers.RequestDumpingHandler"/>
</filters>
</subsystem>
The socket config
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management"
port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http"
port="${jboss.http.port:8080}"/>
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment"
port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
And the minimalistic snippet that goes into the apache vhost config (apache
2.4)
<VirtualHost *:80>
DocumentRoot /var/www
ServerName
your.server.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
... logging config
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www
ServerName
your.server.com
... ssl config
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
RequestHeader set X-Forwarded-Proto "https"
Require all granted
</Proxy>
# ajp works a charm
ProxyPass /auth ajp://127.0.0.1:8009/auth
ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
# or hit the http port
ProxyPass /auth
http://127.0.0.1:8080/auth
ProxyPassReverse /auth
http://127.0.0.1:8080/auth
... logging config
</VirtualHost>
Hope this solves your problem.
Cheers,
Niels
On Fri, Jul 22, 2016 at 7:21 AM, Derek Visch <derek.visch(a)gmail.com> wrote:
Trying to setup reverse SSL for keycloak. Having issues finding
documentation about this, it's mentioned in
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
but the extra detail that's supposed to be in
https://keycloak.gitbooks.io/server-adminstration-guide/content/ I could
not find in regards to reverse SSL proxys.
Regardless I ended up following
http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html
From that previous mailling list post:
Follow the documentation for your web server to enable SSL and configure reverse proxy
for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For
and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable
proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy
doesn't use port 8443 for SSL you also need to configure what port http traffic is
redirected to. This is done by editing standalone/configuration/standalone.xml.
First add proxy-address-forwarding and redirect-socket to the http-listener element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group>
but now when I go to log on to the admin console I get "We're sorry ...
Invalid aparameter: redirect uri".
Tried stack overflow / google / IRC. No luck so far.
Any help would be appreciated :D
Thanks
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user