[keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster

Stian Thorgersen sthorger at redhat.com
Mon Oct 24 02:08:28 EDT 2016


Is your proxy setting  X-Forwarded-For, X-Forwarded-Proto and also
preserving the preserving the original Host header?

On 22 October 2016 at 13:19, Vincent Sourin <sourin-v at bridgestone-bae.com>
wrote:

> Hello,
>
> I've got a strange behavior with Keycloak instance (version 2.2.1 Final)
> behind an Apache Reverse Proxy (with Mod_cluster).
>
> First of all, here is my test environment : https://postimg.org/image/
> z7xrb08ev/
>
> I think it's worth mention that :
>
> *         Wildfly & keycloak are installed on the same servers but each in
> separate instances (not using overlay deployment)
>
> *         mod_cluster is configured in http mode (not ajp) with
> mod_proxy_wstunnel activated because I use Websocket with wildfly
>
> So, in this configuration, applications deployed on wildfly instances work
> well but I got some problem with Keycloak.
> Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as
> soon as I click on the link < Aministration Console > (resolved normally to
> https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to
> plain http connection and so the request failed.
>
> If I browse directly to https://XXXXXXX/auth/admin/ my browser complains
> about < some insecured items on the page > and I can't reach the console
> neither.
>
> Here a a snippet of my keycloak configuration :
>
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
>                 <server name="default-server">
>                  <http-listener name="default" proxy-address-forwarding="true"
> socket-binding="http" redirect-socket="proxy-https"/>
>                     <https-listener name="https"
> enabled-protocols="TLSv1.2" security-realm="UndertowRealm"
> socket-binding="https"/>
>                    [...]
> </subsystem>
> [...]
> <subsystem xmlns="urn:jboss:domain:modcluster:2.0">
>                 <mod-cluster-config advertise-socket="modcluster"
> connector="default">
>                     <dynamic-load-provider>
>                         <load-metric type="cpu"/>
>                     </dynamic-load-provider>
> </mod-cluster-config>
> </subsystem>
> [...]
> <socket-binding-groups>
>         <socket-binding-group name="ha-sockets" default-interface="public">
>             [...]
>            <socket-binding name="proxy-https" port="443"/>
>             [...]
>         </socket-binding-group>
>     </socket-binding-groups>
>
> Can someone tell me what I'm doing wrong or give me the right direction to
> further investigate this behavior ?
>
> Thanks for your help.
>
> Vincent.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list