[keycloak-user] ssl apache2 difficulties

mj lists at merit.unu.edu
Thu Nov 17 10:52:31 EST 2016


The keycloak docs recommend to run keycloak over ssl. Doing that 
directly in java seems quite tricky, so I decided to put an apache2 
reverse proxy before keycloak, using Let's Encrypt ssl certificates.

I can't seem to find many official docs on this subject, but after a ot 
of googling, I think I'm very close.

The main keycloak interface on
loads, using ssl, everything looks good.

The "administration console" link on that page goes to
So the link was generated good also.

However, actually clicking it, I end up somewhere else, namely:
NOT good, not anymore https, and thus we're getting "unable to connect".

Here are two configs I did: first the apache2 keycloak.conf:

> <VirtualHost *:443>
> 		ServerAdmin webmaster at keycloak.company.com
 > 		ServerName keycloak.company.com
> 		DocumentRoot /var/www/html
>     ProxyPreserveHost       On
>     ProxyVia                Off
>     ProxyRequests           Off
>     ProxyPass               /       "http://localhost:8080/"
>     ProxyPassReverse        /       "http://localhost:8080/"
> <Proxy *>
>     Order deny,allow
>     Allow from all
> </Proxy>
> 		LogLevel info ssl:warn
> 		ErrorLog ${APACHE_LOG_DIR}/keycloak-error.log
> 		CustomLog ${APACHE_LOG_DIR}/keycloak-access.log combined
> 		#   SSL Engine Switch:
> 		#   Enable/Disable SSL for this virtual host.
> 		SSLEngine on
> 		SSLCertificateFile	/etc/ssl/apache2/cert.pem
> 		SSLCertificateKeyFile /etc/ssl/apache2/cert.key
> 		SSLCertificateChainFile /etc/ssl/apache2/fullchain.pem
> </VirtualHost>

and I guess I need to make two changes to standalone.xml as well, lines 
358 and 422:

edited line 385 to:
>  <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>

inserted this line at line 422:
> <socket-binding name="proxy-https" port="443"/>

Is there somewhere a place where the required details are outlined to 
make this work? Seems I'm pretty close, and just missing some minor 
detail somewhere...

Best regards,

More information about the keycloak-user mailing list