[keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
mahendra sonawale
mahson1 at gmail.com
Wed Nov 15 08:38:13 EST 2017
Hello Cedric/Keycloak User comm,
Sorry for getting back late over this. my set-up needs Admin team`s
intervention to change the broadcast value hence the delay in response.
I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to 0
And also tested the multicast set-up message test with "McastReceiverTest"
and "McastSenderTest" which works fine.
BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.
PFA the HA file which I am using in my configuration.
IP addresses are dummy.
Node 1 : 1.2.3.4
Node 2 : 1.2.3.5
This all I tried.
1) Start command - nohup ./bin/standalone.sh
--server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
2) Tried to run both the nodes with public as well as private interface -
but no luck.
3) I have hardware load balancer where SSL terminates. so domain will
communicate to the both the nodes in round robin and both nodes should be
4) PFB the HTTPD Conf
-------------------------
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule remoteip_module modules/mod_remoteip.so
ProxyPreserveHost On
LimitRequestFieldSize 163840
LimitRequestLine 163840
#<VirtualHost _default_:80>
ServerName rapid.gi-de.com:443
ErrorLog /opt/keycloak/fiam_error_log
CustomLog /opt/keycloak/fiam_access_log combined
LogLevel warn
RequestHeader set X-Forwarded-Proto "https"
<Proxy https://abc.com/* >
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# not rewrite css, js and images
RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
RewriteRule ^(.*)$ /auth [NC,L,QSA]
#Options -Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Proxy>
ProxyPass /auth http://1.2.3.4:8080/auth
ProxyPassReverse /auth http://1.2.3.4:8080/auth
------------------
And on 2nd node only proxy pass has change in IP address as 1.2.3.5
6) Server logs:
2017-11-15 14:03:06,255 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,256 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-7) ISPN000094: Received new cluster view for channel hibernate:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,259 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-8) ISPN000094: Received new cluster view for channel web:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,263 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000094: Received new cluster view for channel server:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,263 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-7) ISPN000079: Channel hibernate local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
2017-11-15 14:03:06,264 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000079: Channel server local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
2017-11-15 14:03:06,264 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-3) ISPN000094: Received new cluster view for channel ejb:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,265 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-3) ISPN000079: Channel ejb local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
ProxyPass /auth http://1.2.3.4:8080/auth
ProxyPassReverse /auth http://1.2.3.4:8080/auth
Thanks,
Mahendra
On Thu, Nov 9, 2017 at 6:35 PM, Cédric Couralet <cedric.couralet at gmail.com>
wrote:
> 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
> > (You can look for the value in
> > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
> >
> > In our production linux env the value is 1 -- does that really affect??
> > and would that be the only cause?
> >
>
> Yes, it is important. At least for us, changing this value to 0 was
> enough to have a working cluster.
> As I understand it, the value 1 is a protection against DOS but, in
> the case of Keycloak prevents each node to discover the others. In a
> controlled environment (as recommended in the keycloak docs), I see no
> problem enabling it.
>
> I'm far for expert, so maybe someone will have a better idea.
>
More information about the keycloak-user
mailing list