[keycloak-user] Running Keycloak behind Apache Reverse Proxy

Nalyvayko, Peter pnalyvayko at agi.com
Fri Feb 22 11:50:07 EST 2019 

Vikram,

Make sure your KC instance is internally accessible. I am posting the examples of apache virtual host and the the portion of KC configuration relevant to reverse proxy, where <internal ip address>:<internal port> is the IP address and port respectively your keycloak server is listening on.

=== <Apache>.conf ===

<IfModule mod_ssl.c>
<VirtualHost *:443>
...
        ProxyPreserveHost On
        ProxyRequests Off
        RequestHeader add "X-forwarded-proto" "https"

        RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s"

        ProxyPass "/auth" "http://<internal ip address>:<internal port>/auth"
        ProxyPassReverse "/auth" "http://<internal ip address>:<internal port>/auth"
...
</VirtualHost>
</IfModule>

==== standalone.xml ====

 <subsystem xmlns="urn:jboss:domain:undertow:7.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https-proxy" proxy-address-forwarding="true" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="<security realm>" enable-http2="true"/>
 .....
            </server>
.....

Hope this helps
Cheers,
--Peter
_____________________________________
From: Vikram [vikram.eswar at fleetroute.com]
Sent: Friday, February 22, 2019 6:33 AM
To: Nalyvayko, Peter; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Running Keycloak behind Apache Reverse Proxy

Hi Peter,

thanks a lot for your reply.

I have followed this link already with no luck.

I have set X-forwarded headers in my default-ssl.conf file as :

RequestHeader set X-Forwarded-Proto "https" env=HTTPS

RequestHeader set X-Forwarded-Port "443"

RemoteIPHeader X-Forwarded-For

Should I also set RemoteIPTrustedProxy and RemoteIPInternalProxy to 127.0.0.1 ?  because everything is running in the same machine ? or should I add all of this in the security.conf file ?

Where am I going wrong ?

I am not getting a json response when I test the configuration using /auth/realms/master/.well-known/openid-configuration..

Regards,

Vikram



On 2/21/2019 10:13 PM, Nalyvayko, Peter wrote:

Here is a link to a more recent docs:

https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
________________________________________
From: Nalyvayko, Peter
Sent: Thursday, February 21, 2019 4:11 PM
To: Vikram; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy

Vikram,




https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider



The instructions above only apply if you are trying to set up mutual SSL.

Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make

Hope this helps
Regards
--Peter

________________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Vikram [vikram.eswar at fleetroute.com<mailto:vikram.eswar at fleetroute.com>]
Sent: Thursday, February 21, 2019 11:40 AM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy

Hi all,

OS: Ubuntu 18.04

I am running an https secured apache server as a reverse proxy. Lets say
at https://example.com

Now, I have a keycloak server running on the same machine, lets say at
http://localhost:1234 (note: HTTP)

I have set it up such that https://example.com/keycloak points to
http://localhost:1234

Now, I have a javascript application which is trying to authenticate
with Keycloak using a javascript adapter. In the keycloak.json
configuration file, I have the url set up as :

url : 'https://example.com/keycloak/auth|'|

This does not work. In order to access keycloak for authentication from
the outside world, I need this to connect.

Anything on this ?

I have already looked at this link :

https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider


I have tried setting the certificate lookup but I am not sure if I am
doing it right. I set it within the virtualhost block in the
default-ssl.conf file through RequestHeader.

Regards,

Vikram


||

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list