[keycloak-user] Keycloak behind reverse proxy

Nikola Malenic nikola.malenic at netsetglobal.rs
Tue Dec 18 02:38:22 EST 2018 

Thank you very much.
I already found this lookup provider in documentation and configured as proposed.

Thank you again,
Nikola

-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro] 
Sent: Tuesday, December 18, 2018 5:56 AM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak behind reverse proxy

Hello Nikola,

You need to configure a x509cert-lookup SPI in your Keycloak config file. Check this out, there are examples for haproxy and Apache: https://www.keycloak.org/docs/latest/server_admin/#client-certificate-lookup

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-12-17 at 15:39 +0100, Nikola Malenic wrote:
> I configured mutual-ssl authentication on Keycloak. That means that 
> user coming to Keycloak does SSL handshake allowing Keycloak to 
> extract data from client certificate and map that data to an existing 
> user at Keycloak, and based on that authenticate the user.
> 
>  
> 
> Now, I need to configure reverse proxy in front of Keycloak. I'm using 
> Apache's httpd.
> 
> The problem is that user's browser now does SSL handshake with the 
> reverse proxy server instead of Keycloak and sends plain http request, 
> disabling Keycloak to map and authenticate the user.
> 
>  
> 
> Is there a proposed method to achieve this?
> 
> Can I configure some reverse proxy (maybe not httpd) to proxy requests 
> on the transport layer? For example, I've seen there is a way to do 
> client authentication on httpd and then send client certificate 
> details to the Wildfly thorugh AJP protocol, but how to map this data to the user then?
> 
> Or should I somehow configure Keycloak for this?
> 
> Maybe configure the proxy to be KC's client and do the authentication 
> somehow?
> 
>  
> 
> Many thanks,
> 
> Nikola
> 
>  
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list