Hello,
I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an
Apache Reverse Proxy (with Mod_cluster).
First of all, here is my test environment :
https://postimg.org/image/z7xrb08ev/
I think it's worth mention that :
* Wildfly & keycloak are installed on the same servers but each in separate
instances (not using overlay deployment)
* mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel
activated because I use Websocket with wildfly
So, in this configuration, applications deployed on wildfly instances work well but I got
some problem with Keycloak.
Reaching keycloak < auth > page (
https://XXXXXXX/auth/) works fine but as soon as I
click on the link < Aministration Console > (resolved normally to
https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http
connection and so the request failed.
If I browse directly to
https://XXXXXXX/auth/admin/ my browser complains about < some
insecured items on the page > and I can't reach the console neither.
Here a a snippet of my keycloak configuration :
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<server name="default-server">
<http-listener name="default"
proxy-address-forwarding="true" socket-binding="http"
redirect-socket="proxy-https"/>
<https-listener name="https"
enabled-protocols="TLSv1.2" security-realm="UndertowRealm"
socket-binding="https"/>
[...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster"
connector="default">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
<socket-binding-group name="ha-sockets"
default-interface="public">
[...]
<socket-binding name="proxy-https" port="443"/>
[...]
</socket-binding-group>
</socket-binding-groups>
Can someone tell me what I'm doing wrong or give me the right direction to further
investigate this behavior ?
Thanks for your help.
Vincent.