Hello Stuart,

thanks for your help :)

My current understanding is that I need to proxy requests that are sent to a virtual host created 
at runtime by the Keycloak deployment and Keycloak would add some additional headers with auth information
and takes care of authentication of necessary.

Since this can be configured at runtime I don't see how I could use the ServletExtension (which is to my knowledge 
applied at start-time) to dynamically register virtual hosts with Undertow.

The workflow is as follows:

So an admin would create a new "proxied" client configuration in the Keycloak admin console where 
he would configure the name for a new virtual host and a target url.

E.g. if the keycloak servername is "sso.acme.com" a user would create proxied client with the following configuration:
* clientid: app1
* virtual host: app1.acme.com
* target url: https://myapp1.com/app
* Header Mapping: key value pairs with header name to (dynamic) expression mapping to inject in the proxied request
* Certificate / public / private key

The certificate is used to provide TLS for app1.acme.com - one could also use a wildcard cert here or generate 
the cert on the server on client setup.

With that in place requests sent to: https://app1.acme.com/ 
should be proxied to: https://myapp1.com/app/
The DNS name app1.acme.com would of course resolve to the IP of sso.acme.com.

A purely path-based solution would be to define a proxy endpoint like https://sso.acme.com/proxy/ which then 
proxies all requests sent to https://sso.acme.com/proxy/app1 to https://myapp1.com/app.

The servlet based approach could be done easily done with Servlets or JAX-RS endpoints, but I still wonder how the dynamic vhost registration could be done.

Cheers,
Thomas

2016-08-09 5:50 GMT+02:00 Stuart Douglas <sdouglas@redhat.com>:
So does this need to proxy all requests, or just requests targeted at
the keycloak deployment? If it is the later then you could just use
ServletExtension to set up the ProxyHandler.

Stuart

On Tue, Aug 9, 2016 at 6:35 AM, Thomas Darimont
<thomas.darimont@googlemail.com> wrote:
> Hello list,
>
> I'm currently working on embedding Keycloak's currently dedicated Proxy
> Server into Keycloak itself.
> For this I need to be able to dynamically configure Undertow's ProxyHandler
> and register VirtualHosts at runtime.
> For reference the discussion thread on keycloak-dev ML: [1]
>
> Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is
> configured via the standalone(-ha).xml.
>
> I could already configure a reverse-proxy and additional hosts via jboss-cli
> but I wonder whether there is an API
> that I could use to get access to the undertow infrastructure from within a
> JAX-RS endpoint.
> I could probably also use the wildfly management client API or perhaps do
> something via JMX.
>
> Would be great if someone could give me a tip or an example for registering
> / configuring Undertow Handler or Virtual Hosts as described above.
>
> Btw. I saw that Undertow ships with a
> io.undertow.server.handlers.proxy.HostTable but I couldn't find
> any usage of it in the Undertow codebase - did I miss something or is this
> dead code?
>
> FYI current code of Keycloak dedicated Proxy Server (uses embedded undertow)
> can be found here: [0]
>
> Cherrs,
> Thomas
> [0] https://github.com/keycloak/keycloak/tree/master/proxy
> [1] http://lists.jboss.org/pipermail/keycloak-dev/2016-August/007742.html
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev