[keycloak-user] Significant SSL issue: Support for reverse proxies

Bill Burke bburke at redhat.com
Fri Jun 13 08:42:04 EDT 2014


Was the adapter not configured right?  It should be pointed to the auth 
server's reverse-proxy URL.

On 6/13/2014 3:50 AM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> I faced the exact same issue earlier this week, but with nginx. On a
> quick look, the problem seems to be on the JavaScript adapter, which
> seems to think that it's being served via non-SSL.
>
> As I haven't had enough time to debug and do a proper fix, the quick
> solution was to configure Wildfly to serve Keycloak via SSL and proxy
> the request to 8443 instead of 8080. It works, but it's suboptimal.
> There are instructions on the documentation on how to setup Wildfly to
> serve requests via SSL.
>
> - - Juca.
>
> On 06/13/2014 09:41 AM, Josh wrote:
>> Hi guys,
>>
>> So looking to help solve this issue possibly or at least get it on
>> the radar, I've reported it here:
>> https://issues.jboss.org/browse/KEYCLOAK-497
>>
>> To breifly recap the issue, when logging in via reverse proxy it
>> keeps forwarding the browser from https back to regular http.
>>
>> Eg. Apache virtualhost configured as:
>>
>> <VirtualHost *:443> ServerName auth.domain.com
>> <http://auth.domain.com> SSLEngine On
>>
>> <Proxy *> Order deny,allow Allow from all </Proxy>
>>
>> ProxyVia                Off ProxyPreserveHost       On
>> ProxyRequests           Off
>>
>> ProxyPass               /       http://keycloak.core.docker:8080/
>> ProxyPassReverse        /       http://keycloak.core.docker:8080/
>>
>>
>> </VirtualHost>
>>
>> If I were to start looking into the code base, where would I
>> start? Trying to find for example during the login process how the
>> forward url is formed?
>>
>> Thanks,
>>
>> Josh
>>
>>
>> _______________________________________________ keycloak-user
>> mailing list keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBCgAGBQJTmq1jAAoJEDnJtskdmzLM+iIIAI/TPlujrVqrFM6u7XqarUB/
> RVtgPzsF3cjeKJZQYAxJhBO7eMHYlGsfFwROylV1F397PNvQdOE5E+TBXI/pDwXr
> t5PVVVw9ehUVkf2gGLLXWkrniUCxbetKvColKIbRMGSpJuIOnUkLkP6J1J2wHGhl
> u5oLYNxLZfhP0Ag5/U9+3Mnezti0yKD7Z1818BtV45+9cCqwV45XqbcwNyoeBCPC
> +8iOmg5aFlNki1D/zGZNOkgziLzq8+lmK2yrpZGvSRZ10ShbCj80v72nkBB101Ac
> 6SYofgywL2CcDCOK1/MEo71pUzaUrXLoNbTT/4v18TSXvCF9M0RUSJSEr8MRvYk=
> =jExe
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list