[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Vincent Sourin sourin-v at bridgestone-bae.com
Sat Oct 22 07:19:23 EDT 2016 

Hello,

I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster).

First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/

I think it's worth mention that :

*         Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment)

*         mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly

So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak.
Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed.

If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither.

Here a a snippet of my keycloak configuration :

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
                <server name="default-server">
                 <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/>
                    <https-listener name="https" enabled-protocols="TLSv1.2" security-realm="UndertowRealm" socket-binding="https"/>
                   [...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
                <mod-cluster-config advertise-socket="modcluster" connector="default">
                    <dynamic-load-provider>
                        <load-metric type="cpu"/>
                    </dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
        <socket-binding-group name="ha-sockets" default-interface="public">
            [...]
           <socket-binding name="proxy-https" port="443"/>
            [...]
        </socket-binding-group>
    </socket-binding-groups>

Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ?

Thanks for your help.

Vincent.

More information about the keycloak-user mailing list