How to disable SSL for latest Keycloak?
6,491 views
Skip to first unread message
Ron Cecchini
Jan 5, 2023, 1:58:36 PM1/5/23
to Keycloak User
Hi, all.
I started the latest keycloak (version 20.0.2) on AWS, port 8443.
I've tried various suggestions I found to get my browser working with https and port 8443 (to get to the Admin panel) but I think there are unresolvable issues connecting to 8443 from our network.
So I want to go back to running it on port 8080 and using http.
I can now get to the Keycloak landing page but when I click on the "Admin pane" link I get the error: "HTTPS required."
I've tried a couple of suggestions but it's still not working.
I've tried a couple of suggestions but it's still not working.
So the question is: What is the easiest and recommended way to disable SSL so my browser can use the Admin panel? And will these changes persist between container restarts?
Thank you very much.
gilles.etc...@gmail.com
Jan 6, 2023, 7:46:43 AM1/6/23
to Keycloak User
Hello,
Disclaimer (I have to) : Deactivate HTTPS is not recommended in production unless your servers are in a safe zone behind an HTTPS proxy (see edge mode here : https://www.keycloak.org/server/reverseproxy)
That beeing said, here are the environnement variable I use to allow HTTP access to console with KC X 20.0.2
The env var KC_HOSTNAME_STRICT_HTTPS (or its conter part in conf hostname-strict-https ) is not clearly described int he documentation
but you can find discussion here : https://github.com/keycloak/keycloak/discussions/11856
Or a little in the official doc in the frontend parameters :
https://www.keycloak.org/server/hostname#_frontend
Disclaimer (I have to) : Deactivate HTTPS is not recommended in production unless your servers are in a safe zone behind an HTTPS proxy (see edge mode here : https://www.keycloak.org/server/reverseproxy)
That beeing said, here are the environnement variable I use to allow HTTP access to console with KC X 20.0.2
# Dev Configuration in order to access in HTTP mode
- KC_HOSTNAME_STRICT=false #deactivate fixed hostname
- KC_HOSTNAME_STRICT_HTTPS=false #For local access to console admin in start mode
- KC_HTTP_ENABLED=true
- KC_HOSTNAME_STRICT=false #deactivate fixed hostname
- KC_HOSTNAME_STRICT_HTTPS=false #For local access to console admin in start mode
- KC_HTTP_ENABLED=true
The env var KC_HOSTNAME_STRICT_HTTPS (or its conter part in conf hostname-strict-https ) is not clearly described int he documentation
but you can find discussion here : https://github.com/keycloak/keycloak/discussions/11856
Or a little in the official doc in the frontend parameters :
https://www.keycloak.org/server/hostname#_frontend
Regards,
Gilles ETCHEPAREBORDE
Gilles ETCHEPAREBORDE
Ron Cecchini
Jan 9, 2023, 3:02:52 PM1/9/23
to Keycloak User
Hi, Gilles. Thank you for your response.
Yes, we will definitely enable SSL in production!
In the meantime, I was not able to disable SSL via the method you outlined above. I tried the following. And while it got me past the "HTTPS required" error, it then put me in a state with an endless spinner. It hung indefinitely.
docker run \
--name new-keycloak \-dti \
-p 8080:8080 \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \
-e KC_HOSTNAME=localhost \
-e KC_HOSTNAME_STRICT=false \
-e KC_HOSTNAME_STRICT_HTTPS=false \
-e KC_HTTP_ENABLED=true \
quay.io/keycloak/keycloak:20.0.2 \
start-dev
---
However, I was able to manually disable SSL by doing the following.
I started the container without any of the 4 "KC_" environment variables.
And then I went into the container and used kcadm.sh like this:
# cd /opt/keycloak/bin
# ./kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin
# ./kcadm.sh update realms/master -s sslRequired=NONE
That worked like a charm.
This should be good enough for now, but do you know why the first method didn't work?
Thank you again.
Ron
Reply all
Reply to author
Forward
0 new messages