Hi,
The keycloak docs recommend to run keycloak over ssl. Doing that
directly in java seems quite tricky, so I decided to put an apache2
reverse proxy before keycloak, using Let's Encrypt ssl certificates.
I can't seem to find many official docs on this subject, but after a ot
of googling, I think I'm very close.
The main keycloak interface on
https://keycloak.company.com/auth
loads, using ssl, everything looks good.
The "administration console" link on that page goes to
https://keycloak.company.com/auth/admin/
So the link was generated good also.
However, actually clicking it, I end up somewhere else, namely:
http://keycloak.company.com/auth/admin/master/console/
NOT good, not anymore https, and thus we're getting "unable to connect".
Here are two configs I did: first the apache2 keycloak.conf:
<VirtualHost *:443>
ServerAdmin webmaster(a)keycloak.company.com
ServerName
keycloak.company.com
DocumentRoot /var/www/html
ProxyPreserveHost On
ProxyVia Off
ProxyRequests Off
ProxyPass / "http://localhost:8080/"
ProxyPassReverse / "http://localhost:8080/"
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/keycloak-error.log
CustomLog ${APACHE_LOG_DIR}/keycloak-access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/apache2/cert.pem
SSLCertificateKeyFile /etc/ssl/apache2/cert.key
SSLCertificateChainFile /etc/ssl/apache2/fullchain.pem
</VirtualHost>
and I guess I need to make two changes to standalone.xml as well, lines
358 and 422:
edited line 385 to:
<http-listener name="default"
socket-binding="http" proxy-address-forwarding="true"
redirect-socket="proxy-https"/>
inserted this line at line 422:
<socket-binding name="proxy-https"
port="443"/>
Is there somewhere a place where the required details are outlined to
make this work? Seems I'm pretty close, and just missing some minor
detail somewhere...
Best regards,
MJ