[keycloak-dev] Setting up AJP proxy from Apache?

Sat Mar 5 10:55:34 EST 2016

On 03/05/2016 07:27 AM, Bill Burke wrote:
> The only thing I can think of is that the server is binding to localhost
> and not a real IP address?
>
> BTW, why would you want to put Apache in front of Keycloak?  Or is this
> just an application?  Last time I looked at bench, undertow/wildfly
> performs and scales better than Apache HTTPD even for static content.

This is for the OpenStack undercloud.  Scalability is not the issue. 
Limiting the number of VMs required is the constraint.  I am deploying 
Keycloak on the FreeIPA (RH IdM) server which already owns ports 80/443 
and has TLS setup.  Keycloak has to co-exist with both the WSGI apps for 
IPA management and the Java Tomcat app for Dogtag/Certificates.

I'd love it if systemd provided a means to do socket activation for Java 
Apps running in JBoss. Until then,  JBoss is going to be proxied behind 
something that can listen on 443 as a non-privileged user.  The rest of 
OpenStack that runs on non-httpd Python webservers is fronted with HA 
proxy.  But we don't do HA proxy for the undercloud.

>
> https://www.techempower.com/benchmarks/
>
> On 3/4/2016 9:49 PM, Adam Young wrote:
>> keycloak-1.9.0.Final
>>
>> Having trouble finding the right notes for setting up AJP.  This is to
>> run alongside a FreeIPA server which is already set up with
>> mod_proxy_ajp talking to Tomcat, so I want to keep using the same set of
>> modules.
>>
>>
>>
>> I can see keycloak-1.9.0.Final/standalone/configuration/standalone.xml
>>
>>
>> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
>>                <buffer-cache name="default"/>
>>                <server name="default-server">
>>                    <http-listener name="default" socket-binding="http"
>> redirect-socket="https"/>
>>
>>                    <host name="default-host" alias="localhost">
>>                        <location name="/" handler="welcome-content"/>
>>                        <filter-ref name="server-header"/>
>>                        <filter-ref name="x-powered-by-header"/>
>>                    </host>
>>                </server>
>>
>>
>> I'm assuming I need a line comparable to <http-listener name="default"
>> socket-binding="http" redirect-socket="https"/> But for the AJP
>> protocol. Perhaps ajp-listener?
>>
>> A line like this, perhaps?
>>
>>         <http-listener name="default-ajp" socket-binding="ajp"
>> scheme="http"  />
>>
>>
>>
>>
>>
>>
>> https://docs.jboss.org/author/display/WFLY8/AJP+listeners
>>
>> I see at the bottom of the file:
>>
>>        <socket-binding-group name="standard-sockets"
>> default-interface="public"
>> port-offset="${jboss.socket.binding.port-offset:0}">
>>            <socket-binding name="management-http" interface="management"
>> port="${jboss.management.http.port:9990}"/>
>>            <socket-binding name="management-https" interface="management"
>> port="${jboss.management.https.port:9993}"/>
>>            <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev