@WebServlet(name = "test", urlPatterns = "/test")
public class TestServlet extends javax.servlet.http.HttpServlet {

    protected void doGet(HttpServletRequest req,
                         HttpServletResponse resp) throws ServletException, IOException {
        System.err.println("REQUEST URL : " + req.getRequestURL());
        System.err.println("REMOTE HOST: " + req.getRemoteHost());
        Enumeration<String> headers = req.getHeaderNames();
        while (headers.hasMoreElements()) {
            String header = headers.nextElement();
            System.err.println(header + ": " + req.getHeader(header));


/wildfly-10.0.0.Final/standalone/configuration$ grep http-listener standalone.xml 
                <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="https"/>

/wildfly-10.0.0.Final/standalone/configuration$ curl -v --header "X-Forwarded-For:" --header "X-Forwarded-Proto: http" http://localhost:8080/proxytest_war_exploded/test

08:47:32,511 ERROR [stderr] (default task-2) REQUEST URL : http://localhost:8080/proxytest_war_exploded/test
08:47:32,511 ERROR [stderr] (default task-2) REMOTE HOST:
08:47:32,511 ERROR [stderr] (default task-2) Accept: */*
08:47:32,511 ERROR [stderr] (default task-2) X-Forwarded-Proto: http
08:47:32,512 ERROR [stderr] (default task-2) User-Agent: curl/7.43.0
08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For:
08:47:32,512 ERROR [stderr] (default task-2) Host: localhost:8080

I've also looked at the code of Undertow/Wildfly and as far as I can tell, the proxy-address-forwarding affects only HttpServletRequest#getRemoteHost() etc. values.

On 23.05.2016, at 08:16, Stian Thorgersen <sthorger@redhat.com> wrote:

Take a look at http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding. proxy-address-forwarding=true does set HttpServletRequest#getRequestURL(), but only if http is used. If you're using ajp then you need to use ProxyPeerAddressHandler.

On 22 May 2016 at 10:10, Christian Bauer <christian.bauer@gmail.com> wrote:
A workaround/solution is to set the Host header on the proxy.

This is equivalent to setting ProxyPreserveHost On if you'd be using Apache mod_proxy. It requires some ugly hacks however customizing this header with my Resteasy/ApacheHttpClient proxy.

> On 22.05.2016, at 00:18, Christian Bauer <christian.bauer@gmail.com> wrote:
> Already done. I don't think that affects HttpServletRequest#getRequestURL(), which is what Resteasy is using to populate UriInfo#getBaseUri()?
>> set the proxy-address-forwarding="true" for the http-listener.
>>> The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-* headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

keycloak-user mailing list