[keycloak-user] Running Keycloak behind Apache Reverse Proxy

Mon Feb 25 06:47:08 EST 2019

Hi Peter,

Thanks a lot again !

it works now. However, there was only one change that did the trick..

I changed this :

ProxyPass "/xyz" "http://<internal ip address>:<internal port>/"
ProxyPassReverse "/xyz" "http://<internal ip address>:<internal port>/"
to :
ProxyPass "/xyz" "http://<internal ip address>:<internal port>/auth"
ProxyPassReverse "/xyz" "http://<internal ip address>:<internal port>/auth"

I did not have "auth" at the end of the url in the reverse proxy settings. Instead, I had it in my keycloak.json file as 'https://example.com/xyz/auth'. I am not sure but I think keycloak redirects any request going to http://<internal ip address>:<internal port>/ to http://<internal ip address>:<internal port>/auth automatically.. or maybe not. I would appreciate a clarification on this if possible.

Nevertheless, thanks a lot for your time !

Regards,
Vikram

On 2/22/2019 5:50 PM, Nalyvayko, Peter wrote:

> Vikram,
>
> Make sure your KC instance is internally accessible. I am posting the examples of apache virtual host and the the portion of KC configuration relevant to reverse proxy, where <internal ip address>:<internal port> is the IP address and port respectively your keycloak server is listening on.
>
> === <Apache>.conf ===
>
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
> ...
>          ProxyPreserveHost On
>          ProxyRequests Off
>          RequestHeader add "X-forwarded-proto" "https"
>
>          RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s"
>
>          ProxyPass "/auth" "http://<internal ip address>:<internal port>/auth"
>          ProxyPassReverse "/auth" "http://<internal ip address>:<internal port>/auth"
> ...
> </VirtualHost>
> </IfModule>
>
> ==== standalone.xml ====
>
>   <subsystem xmlns="urn:jboss:domain:undertow:7.0">
>              <buffer-cache name="default"/>
>              <server name="default-server">
>                  <http-listener name="default" socket-binding="http" redirect-socket="https-proxy" proxy-address-forwarding="true" enable-http2="true"/>
>                  <https-listener name="https" socket-binding="https" security-realm="<security realm>" enable-http2="true"/>
>   .....
>              </server>
> .....
>
> Hope this helps
> Cheers,
> --Peter
> _____________________________________
> From: Vikram [vikram.eswar at fleetroute.com]
> Sent: Friday, February 22, 2019 6:33 AM
> To: Nalyvayko, Peter; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Running Keycloak behind Apache Reverse Proxy
>
> Hi Peter,
>
> thanks a lot for your reply.
>
> I have followed this link already with no luck.
>
> I have set X-forwarded headers in my default-ssl.conf file as :
>
> RequestHeader set X-Forwarded-Proto "https" env=HTTPS
>
> RequestHeader set X-Forwarded-Port "443"
>
> RemoteIPHeader X-Forwarded-For
>
> Should I also set RemoteIPTrustedProxy and RemoteIPInternalProxy to 127.0.0.1 ?  because everything is running in the same machine ? or should I add all of this in the security.conf file ?
>
> Where am I going wrong ?
>
> I am not getting a json response when I test the configuration using /auth/realms/master/.well-known/openid-configuration..
>
> Regards,
>
> Vikram
>
>
>
> On 2/21/2019 10:13 PM, Nalyvayko, Peter wrote:
>
> Here is a link to a more recent docs:
>
> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
> ________________________________________
> From: Nalyvayko, Peter
> Sent: Thursday, February 21, 2019 4:11 PM
> To: Vikram; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy
>
> Vikram,
>
>
>
>
> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider
>
>
>
> The instructions above only apply if you are trying to set up mutual SSL.
>
> Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make
>
> Hope this helps
> Regards
> --Peter
>
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Vikram [vikram.eswar at fleetroute.com<mailto:vikram.eswar at fleetroute.com>]
> Sent: Thursday, February 21, 2019 11:40 AM
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy
>
> Hi all,
>
> OS: Ubuntu 18.04
>
> I am running an https secured apache server as a reverse proxy. Lets say
> at https://example.com
>
> Now, I have a keycloak server running on the same machine, lets say at
> http://localhost:1234 (note: HTTP)
>
> I have set it up such that https://example.com/keycloak points to
> http://localhost:1234
>
> Now, I have a javascript application which is trying to authenticate
> with Keycloak using a javascript adapter. In the keycloak.json
> configuration file, I have the url set up as :
>
> url : 'https://example.com/keycloak/auth|'|
>
> This does not work. In order to access keycloak for authentication from
> the outside world, I need this to connect.
>
> Anything on this ?
>
> I have already looked at this link :
>
> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider
>
>
> I have tried setting the certificate lookup but I am not sure if I am
> doing it right. I set it within the virtualhost block in the
> default-ssl.conf file through RequestHeader.
>
> Regards,
>
> Vikram
>
>
> ||
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>