4:47 a.m.
Hi,
We are trying to use KeyCloak behind a reverse proxy.
There are lots of discussions about doing this online, but they are all
concerned about getting the protocol correct - which we are not having a
problem with.
Our problem is that the reverse proxy has a completely different name
from the KeyCloak host and this seems to be confusing KeyCloak.
Our reverse proxy ("external") is on https and our KeyCloak server
("internal") is on http.
There are two examples that we have seen of this:
1. In the UI templates the url.loginAction variable is https://internal
2. In JWTs generated by KeyCloak the iss is https://internal
This seems to be resulting in all tokens being refused by
introspection.
Our reverse proxy is adding both X-Forwarded-Proto and
X-Forwarded-Server headers (we can change these easily).
It would be acceptable for us if KeyCloak were only accessible via the
reverse proxy.
We are using KeyCloak 3.0.0.FINAL.
How can we get this working?
Thanks
Jim
8:01 a.m.
Hi,
I'm using nginx as a reverse proxy and got things working. We had to make
sure the following was being set on the proxy:
proxy_pass << your url >>;
proxy_set_header Host "$host:$app_port";
proxy_set_header X-Forwarded-For $host;
proxy_set_header X-Forwarded-Port $app_port;
In the http-listener on the keycloak server, make sure
that proxy-address-forwarding="true" was set.
John
On Thu, Jun 15, 2017 at 5:49 AM <jim-keycloak(a)spudsoft.co.uk> wrote:
Hi,
We are trying to use KeyCloak behind a reverse proxy.
There are lots of discussions about doing this online, but they are all
concerned about getting the protocol correct - which we are not having a
problem with.
Our problem is that the reverse proxy has a completely different name
from the KeyCloak host and this seems to be confusing KeyCloak.
Our reverse proxy ("external") is on https and our KeyCloak server
("internal") is on http.
There are two examples that we have seen of this:
1. In the UI templates the url.loginAction variable is https://internal
2. In JWTs generated by KeyCloak the iss is https://internal
This seems to be resulting in all tokens being refused by
introspection.
Our reverse proxy is adding both X-Forwarded-Proto and
X-Forwarded-Server headers (we can change these easily).
It would be acceptable for us if KeyCloak were only accessible via the
reverse proxy.
We are using KeyCloak 3.0.0.FINAL.
How can we get this working?
Thanks
Jim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2533
days inactive
2533
days old
1 comments
2 participants
participants (2)
-
jim-keycloak@spudsoft.co.uk -
John D. Ament