[keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly

Matthias Müller matthias_mueller at tu-dresden.de
Sat Feb 27 10:57:09 EST 2016


Hi Alexander,

 

thanks a lot for the debug hint which put me on the right track. Though the "env=HTTPS" condition was not the issue here, I could clearly see, that “X-Forwarded-Proto” was not set in the HTTP headers. – Surely a mistake in my Apache setup that did not properly include the statement. It is now fixed and Keycloak works as expected.

 

Cheers,

Matthias

 

 

From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Alexander Schwartz
Sent: Friday, February 26, 2016 9:50 PM
To: 'keycloak-user'
Subject: Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly

 

Hello Matthias,

 

we're running Keycloak 1.8 in similar setup, and this should would. But we don't have the "env=HTTPS" condition, as we set it up the headers as part of the SSL part.

 

Could you verify that the headers are sent by Apache correctly? You could try the following: instead of starting keycloak on port 8080 you could start netcat:

 

nc -l 8080

 

This will print the request headers of the first request to your console.

 

Best regards,

Alexander.

 

--
Alexander Schwartz (alexander.schwartz at gmx.net)
http://www.ahus1.de

  

  

Gesendet: Freitag, 26. Februar 2016 um 14:54 Uhr
Von: "Matthias Müller" <matthias_mueller at tu-dresden.de>
An: 'keycloak-user' <keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly

Yes. I’ve set up an HTTPS reverse proxy in Apache as usual with and added the required header:

 

RequestHeader set X-Forwarded-Proto "https" env=HTTPS

 

Then I edited /usr/local/keycloak/standalone/configuration/standalone.xml according to these instructions.

 

>From what I’ve seen there’s no difference in the responses between:

 

a)      Configuring reverse proxy in Apache only

b)      Configuring reverse proxy in Apache AND editing standalone.xml

 

In both cases the hostname is properly resolved, but not the protocol part.

 

Cheers,

Matthias

 

p.s.: The documentation shows a configuration for an old release (1.1) of the undertow subsystem. Current is 3.0, which is also part of Keycloak distro. Is the configuration identical for both versions?

 

 

From:  <mailto:keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org [ <mailto:keycloak-user-bounces at lists.jboss.org> mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen
Sent: Friday, February 26, 2016 1:36 PM
To: Matthias Müller
Cc: keycloak-user
Subject: Re: [keycloak-user] Keycloak 1.9 behind Apache2 reverse proxy not working properly

 

DId you follow documentation at http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e394

 

On 26 February 2016 at 12:53, Matthias Müller <Matthias_Mueller at tu-dresden.de> wrote:

Does anyone have experiences with Keycloak 1.9 in an Apache2 reverse
proxy configuration?

In my test setup I am running Keycloak as a standalone service on port
8080. It is proxied behind an Apache HTTP Server that manages the SSL
communication and forwards requests to localhost:8080. The Apache side
of the proxy is working. However, the administration console web page
(auth/admin/master/console/) still contains plain http://... links
(should be: https://) to the JS components which, of course, is invalid.
Obviously the Keycloak service does not see (or ignores) the X-Forwarded
headers.

Am I missing something here?

Cheers,
Matthias

[1]:
http://auth.domain.org/auth/resources/1.9.0.final/admin/keycloak/lib/select2-3.4.1/select2.js
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

 

_______________________________________________ keycloak-user mailing list  <mailto:keycloak-user at lists.jboss.org> keycloak-user at lists.jboss.org  <https://lists.jboss.org/mailman/listinfo/keycloak-user> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160227/8e199066/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6116 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160227/8e199066/attachment-0001.bin 


More information about the keycloak-user mailing list