[keycloak-dev] Setting up AJP proxy from Apache?
Adam Young
ayoung at redhat.com
Sat Mar 5 22:36:29 EST 2016
On 03/05/2016 10:55 AM, Adam Young wrote:
> On 03/05/2016 07:27 AM, Bill Burke wrote:
>> The only thing I can think of is that the server is binding to localhost
>> and not a real IP address?
>>
>> BTW, why would you want to put Apache in front of Keycloak? Or is this
>> just an application? Last time I looked at bench, undertow/wildfly
>> performs and scales better than Apache HTTPD even for static content.
> This is for the OpenStack undercloud. Scalability is not the issue.
> Limiting the number of VMs required is the constraint. I am deploying
> Keycloak on the FreeIPA (RH IdM) server which already owns ports 80/443
> and has TLS setup. Keycloak has to co-exist with both the WSGI apps for
> IPA management and the Java Tomcat app for Dogtag/Certificates.
>
> I'd love it if systemd provided a means to do socket activation for Java
> Apps running in JBoss. Until then, JBoss is going to be proxied behind
> something that can listen on 443 as a non-privileged user. The rest of
> OpenStack that runs on non-httpd Python webservers is fronted with HA
> proxy. But we don't do HA proxy for the undercloud.
And turns out it is already set up if you use the ha configuration
I am using the following line to run Keycloak from systemd:
ExecStart=/var/lib/keycloak/keycloak-1.9.0.Final/bin/standalone.sh
-Djboss.socket.binding.port-offset=100 -c standalone-ha.xml
Seems to work OK. I something is wrong if I do a restart, as it does
not seem to let the As copletely shut down before starting up again, but
systemctl stop and systemctl start work OK.
>
>
>
>
>> https://www.techempower.com/benchmarks/
>>
>> On 3/4/2016 9:49 PM, Adam Young wrote:
>>> keycloak-1.9.0.Final
>>>
>>> Having trouble finding the right notes for setting up AJP. This is to
>>> run alongside a FreeIPA server which is already set up with
>>> mod_proxy_ajp talking to Tomcat, so I want to keep using the same set of
>>> modules.
>>>
>>>
>>>
>>> I can see keycloak-1.9.0.Final/standalone/configuration/standalone.xml
>>>
>>>
>>> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
>>> <buffer-cache name="default"/>
>>> <server name="default-server">
>>> <http-listener name="default" socket-binding="http"
>>> redirect-socket="https"/>
>>>
>>> <host name="default-host" alias="localhost">
>>> <location name="/" handler="welcome-content"/>
>>> <filter-ref name="server-header"/>
>>> <filter-ref name="x-powered-by-header"/>
>>> </host>
>>> </server>
>>>
>>>
>>> I'm assuming I need a line comparable to <http-listener name="default"
>>> socket-binding="http" redirect-socket="https"/> But for the AJP
>>> protocol. Perhaps ajp-listener?
>>>
>>> A line like this, perhaps?
>>>
>>> <http-listener name="default-ajp" socket-binding="ajp"
>>> scheme="http" />
>>>
>>>
>>>
>>>
>>>
>>>
>>> https://docs.jboss.org/author/display/WFLY8/AJP+listeners
>>>
>>> I see at the bottom of the file:
>>>
>>> <socket-binding-group name="standard-sockets"
>>> default-interface="public"
>>> port-offset="${jboss.socket.binding.port-offset:0}">
>>> <socket-binding name="management-http" interface="management"
>>> port="${jboss.management.http.port:9990}"/>
>>> <socket-binding name="management-https" interface="management"
>>> port="${jboss.management.https.port:9993}"/>
>>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list