Keycloak 24.0.4: Still needs KC_PROXY=edge

5,967 views
Skip to first unread message

Markus Karg

unread,
May 13, 2024, 9:11:08 AM5/13/24
to Keycloak User
I am running Keycloak 24.0.4 in prod mode (using KC_PROXY=edge and KC_PROXY_HEADERS=xforwarded) behind Traefik 3.0.0 reverse proxy. Traefik is configured to provide HTTPS only, and forwards to Keycloak using unsecured HTTP as we are in a safe private docker network (the Traefik container and the Keycloak container are the sole containers attached to this network).

Everything works fine so far, but the docs say KC_PROXY=edge is deprecated by KC_PROXY_HEADERS=xforwarded, so I tried to remove KC_PROXY=edge and just keep KC_PROXY_HEADERS=xforwarded . Unfortunately, that de facto makes KC fail to start in prod mode, asking for TLS now! :-(

So the question is: How to tell KC that we're still in the edge case? Providing KC_PROXY_HEADERS=xforwarded (as the docs pretend to be the successor of KC_PROXY=edge) apparently is not enough to convince KC that it doesn't need TLS!

Niko Köbler

unread,
May 13, 2024, 11:14:17 AM5/13/24
to Keycloak User
The docs say also, for replacement of edge, you have to set KC_HTTP_ENABLED=true

And when in doubt, ask your Keycloak Expert in your JUG network 😜

Markus Karg

unread,
May 15, 2024, 2:34:23 AM5/15/24
to Keycloak User
Niko, I actually did ask my Keycloak Expert in my JUG network, I just used a public way to give others a chance to learn from my dumb question! ;-)

Thank you for pointing me to the upgrading docs. Indeed, it works like a charm using KC_HTTP_ENABLED=true! 👍I didn't read them as I did not upgrade.

Unfortunately the config docs for KC_HTTP_PROXY ask to replace it by KC_PROXY_HEADERS solely... 🤦

Jon Koops

unread,
May 15, 2024, 3:24:33 AM5/15/24
to Markus Karg, Keycloak User
Hi Markus,

Feel free to log any missing documentation as an issue on our GitHub, or even submit a pull request if you are so inclined. We are always looking to improve our documentation.

Jon

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/af650971-97d5-4607-99b5-7fc38c7d1657n%40googlegroups.com.

Markus Karg

unread,
May 21, 2024, 2:35:48 AM5/21/24
to Keycloak User
Thank you, Jon and Niko, for all your kind help! You are amazing!

I actually filed an issue in the hope that someone could enhance the documentation briefly. It would have spared me hours of trial-and-error. Unfortunately I failed to provide a PR as I could not figure out how the source code of the mentioned docs sections works like... (silly me).
Reply all
Reply to author
Forward
0 new messages