[undertow-dev] How to configure Undertow programatically at runtime within Wildfly?

Mon Aug 15 23:18:05 EDT 2016

I think you are going to need a management client based solution here.
At the moment the subsystem is not really designed to be extended in
this way.

Another possibility would be to install your own virtual host handler
in the default host (i.e. the host that gets selected if none match).
You could then control this programmatically. I don't think this would
be a great solution though

Stuart

On Tue, Aug 9, 2016 at 7:04 PM, Thomas Darimont
<thomas.darimont at googlemail.com> wrote:
> Hello Stuart,
>
> thanks for your help :)
>
> My current understanding is that I need to proxy requests that are sent to a
> virtual host created
> at runtime by the Keycloak deployment and Keycloak would add some additional
> headers with auth information
> and takes care of authentication of necessary.
>
> Since this can be configured at runtime I don't see how I could use the
> ServletExtension (which is to my knowledge
> applied at start-time) to dynamically register virtual hosts with Undertow.
>
> The workflow is as follows:
>
> So an admin would create a new "proxied" client configuration in the
> Keycloak admin console where
> he would configure the name for a new virtual host and a target url.
>
> E.g. if the keycloak servername is "sso.acme.com" a user would create
> proxied client with the following configuration:
> * clientid: app1
> * virtual host: app1.acme.com
> * target url: https://myapp1.com/app
> * Header Mapping: key value pairs with header name to (dynamic) expression
> mapping to inject in the proxied request
> * Certificate / public / private key
>
> The certificate is used to provide TLS for app1.acme.com - one could also
> use a wildcard cert here or generate
> the cert on the server on client setup.
>
> With that in place requests sent to: https://app1.acme.com/
> should be proxied to: https://myapp1.com/app/
> The DNS name app1.acme.com would of course resolve to the IP of
> sso.acme.com.
>
> A purely path-based solution would be to define a proxy endpoint like
> https://sso.acme.com/proxy/ which then
> proxies all requests sent to https://sso.acme.com/proxy/app1 to
> https://myapp1.com/app.
>
> The servlet based approach could be done easily done with Servlets or JAX-RS
> endpoints, but I still wonder how the dynamic vhost registration could be
> done.
>
> Cheers,
> Thomas
>
> 2016-08-09 5:50 GMT+02:00 Stuart Douglas <sdouglas at redhat.com>:
>>
>> So does this need to proxy all requests, or just requests targeted at
>> the keycloak deployment? If it is the later then you could just use
>> ServletExtension to set up the ProxyHandler.
>>
>> Stuart
>>
>> On Tue, Aug 9, 2016 at 6:35 AM, Thomas Darimont
>> <thomas.darimont at googlemail.com> wrote:
>> > Hello list,
>> >
>> > I'm currently working on embedding Keycloak's currently dedicated Proxy
>> > Server into Keycloak itself.
>> > For this I need to be able to dynamically configure Undertow's
>> > ProxyHandler
>> > and register VirtualHosts at runtime.
>> > For reference the discussion thread on keycloak-dev ML: [1]
>> >
>> > Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is
>> > configured via the standalone(-ha).xml.
>> >
>> > I could already configure a reverse-proxy and additional hosts via
>> > jboss-cli
>> > but I wonder whether there is an API
>> > that I could use to get access to the undertow infrastructure from
>> > within a
>> > JAX-RS endpoint.
>> > I could probably also use the wildfly management client API or perhaps
>> > do
>> > something via JMX.
>> >
>> > Would be great if someone could give me a tip or an example for
>> > registering
>> > / configuring Undertow Handler or Virtual Hosts as described above.
>> >
>> > Btw. I saw that Undertow ships with a
>> > io.undertow.server.handlers.proxy.HostTable but I couldn't find
>> > any usage of it in the Undertow codebase - did I miss something or is
>> > this
>> > dead code?
>> >
>> > FYI current code of Keycloak dedicated Proxy Server (uses embedded
>> > undertow)
>> > can be found here: [0]
>> >
>> > Cherrs,
>> > Thomas
>> > [0] https://github.com/keycloak/keycloak/tree/master/proxy
>> > [1]
>> > http://lists.jboss.org/pipermail/keycloak-dev/2016-August/007742.html
>> >
>> >
>> > _______________________________________________
>> > undertow-dev mailing list
>> > undertow-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>
>