[keycloak-user] Running Keycloak behind Apache Reverse Proxy

Nalyvayko, Peter pnalyvayko at agi.com
Fri Feb 22 11:50:07 EST 2019


Make sure your KC instance is internally accessible. I am posting the examples of apache virtual host and the the portion of KC configuration relevant to reverse proxy, where <internal ip address>:<internal port> is the IP address and port respectively your keycloak server is listening on.

=== <Apache>.conf ===

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ProxyPreserveHost On
        ProxyRequests Off
        RequestHeader add "X-forwarded-proto" "https"

        RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s"

        ProxyPass "/auth" "http://<internal ip address>:<internal port>/auth"
        ProxyPassReverse "/auth" "http://<internal ip address>:<internal port>/auth"

==== standalone.xml ====

 <subsystem xmlns="urn:jboss:domain:undertow:7.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https-proxy" proxy-address-forwarding="true" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="<security realm>" enable-http2="true"/>

Hope this helps
From: Vikram [vikram.eswar at fleetroute.com]
Sent: Friday, February 22, 2019 6:33 AM
To: Nalyvayko, Peter; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Running Keycloak behind Apache Reverse Proxy

Hi Peter,

thanks a lot for your reply.

I have followed this link already with no luck.

I have set X-forwarded headers in my default-ssl.conf file as :

RequestHeader set X-Forwarded-Proto "https" env=HTTPS

RequestHeader set X-Forwarded-Port "443"

RemoteIPHeader X-Forwarded-For

Should I also set RemoteIPTrustedProxy and RemoteIPInternalProxy to ?  because everything is running in the same machine ? or should I add all of this in the security.conf file ?

Where am I going wrong ?

I am not getting a json response when I test the configuration using /auth/realms/master/.well-known/openid-configuration..



On 2/21/2019 10:13 PM, Nalyvayko, Peter wrote:

Here is a link to a more recent docs:

From: Nalyvayko, Peter
Sent: Thursday, February 21, 2019 4:11 PM
To: Vikram; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy



The instructions above only apply if you are trying to set up mutual SSL.

Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make

Hope this helps

From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Vikram [vikram.eswar at fleetroute.com<mailto:vikram.eswar at fleetroute.com>]
Sent: Thursday, February 21, 2019 11:40 AM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy

Hi all,

OS: Ubuntu 18.04

I am running an https secured apache server as a reverse proxy. Lets say
at https://example.com

Now, I have a keycloak server running on the same machine, lets say at
http://localhost:1234 (note: HTTP)

I have set it up such that https://example.com/keycloak points to

Now, I have a javascript application which is trying to authenticate
with Keycloak using a javascript adapter. In the keycloak.json
configuration file, I have the url set up as :

url : 'https://example.com/keycloak/auth|'|

This does not work. In order to access keycloak for authentication from
the outside world, I need this to connect.

Anything on this ?

I have already looked at this link :


I have tried setting the certificate lookup but I am not sure if I am
doing it right. I set it within the virtualhost block in the
default-ssl.conf file through RequestHeader.




keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

More information about the keycloak-user mailing list