We have some docs for this here https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html

Marek

On 01/08/16 22:58, Derek Visch wrote:
Ended up figuring this out, just to save whatever poor soul has to go down the same/similar path here's what I did. I'm curious why I didn't get any errors when running keycloak with debug logging turned on as this must be some kind of host re-write problem with wildfly/keycloak. 

First the only configuration I had to set in standalone.xml was (I removed all the other custom configurations I had in place the rest is the vanilla standalone.xml )
<http-listener name="http-default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true"/>

Wildfly10 Docs for this: https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration

Nginx configuration:

server {
  listen 80;
  server_name keycloak_testing.leveldatadevelopment.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name keycloak_testing.leveldatadevelopment.com;

  ssl_certificate /etc/nginx/ssl/star.leveldatadevelopment.com.crt;
  ssl_certificate_key /etc/nginx/ssl/star.leveldatadevelopment.com.key;

  location / {
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr; #Not sure this is needed for wildfly/keycloak
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http:// https://;

    proxy_pass http://0.0.0.0:8080;
  }
}


Note the Host different, with Host $host:$server_port; I receive a white page when logging into the admin URL. Why would this happen? Only mention of the host header I could find in the wildFly documentation is https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration


Also to get past the invalid_redirect_uri issue, 

  1. Run keycloak locally
  2. Go to the Clients settings in the Master Realm
  3. Click edit on the security-admin-console client id (You may also have to do this with the account client ID I'm not certain)
  4. Add valid redirect URI's for your new domain, for example https://website.com/* (Docs tell you to be as limited as possible with these so in production limit down your redirect URI's as much as possible)
Hope this helps someone in the future! What do you think? Should this be added to the documentation somewhere or should some kind of error be thrown in this circumstance? I'm not certain if it's Wildfly or keycloak causing this to happen I didn't dig quite hard enough to find out :( 





On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch <derek.visch@gmail.com> wrote:
Trying to setup reverse SSL for keycloak. Having issues finding documentation about this, it's mentioned in https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html but the extra detail that's supposed to be in https://keycloak.gitbooks.io/server-adminstration-guide/content/ I could not find in regards to reverse SSL proxys.


From that previous mailling list post:

Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.

First add proxy-address-forwarding and redirect-socket to the http-listener element:

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
    ...
    <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
    ...
</subsystem>

Then add a new socket-binding element to the socket-binding-group element:

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    ...
    <socket-binding name="proxy-https" port="443"/>
    ...
</socket-binding-group>


but now when I go to log on to the admin console I get "We're sorry ... Invalid aparameter: redirect uri". 



Tried stack overflow / google / IRC. No luck so far. 

Any help would be appreciated :D

Thanks





--

Derek Visch / Software Developer / Network Technician 
dvisch@leveldata.com / Direct: 269-488-2037

Level Data Inc. 
Office: 866.511.3282 
4787 Campus Dr. | Kalamazoo, MI 49008 
http://www.leveldata.com



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user