[keycloak-user] Keycloak behind reverse proxy
Nikola Malenic
nikola.malenic at netsetglobal.rs
Tue Dec 18 02:38:22 EST 2018
Thank you very much.
I already found this lookup provider in documentation and configured as proposed.
Thank you again,
Nikola
-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro]
Sent: Tuesday, December 18, 2018 5:56 AM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak behind reverse proxy
Hello Nikola,
You need to configure a x509cert-lookup SPI in your Keycloak config file. Check this out, there are examples for haproxy and Apache: https://www.keycloak.org/docs/latest/server_admin/#client-certificate-lookup
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Mon, 2018-12-17 at 15:39 +0100, Nikola Malenic wrote:
> I configured mutual-ssl authentication on Keycloak. That means that
> user coming to Keycloak does SSL handshake allowing Keycloak to
> extract data from client certificate and map that data to an existing
> user at Keycloak, and based on that authenticate the user.
>
>
>
> Now, I need to configure reverse proxy in front of Keycloak. I'm using
> Apache's httpd.
>
> The problem is that user's browser now does SSL handshake with the
> reverse proxy server instead of Keycloak and sends plain http request,
> disabling Keycloak to map and authenticate the user.
>
>
>
> Is there a proposed method to achieve this?
>
> Can I configure some reverse proxy (maybe not httpd) to proxy requests
> on the transport layer? For example, I've seen there is a way to do
> client authentication on httpd and then send client certificate
> details to the Wildfly thorugh AJP protocol, but how to map this data to the user then?
>
> Or should I somehow configure Keycloak for this?
>
> Maybe configure the proxy to be KC's client and do the authentication
> somehow?
>
>
>
> Many thanks,
>
> Nikola
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list