Problem with reverse-proxy configuration
796 views
Skip to first unread message
Pascal Knüppel
Jan 2, 2023, 9:31:22 AM1/2/23
to Keycloak User
Hi I am trying to access keycloak behind an apache2 server and the apache2 uses a different context-path than keycloak.
```
keycloak: https://keycloak:8443/
apache2: https://apache2:10443/keycloak
```
apache2 delegates correctly to the keycloaks index-page, but the administration link looks like this:
apache2 delegates correctly to the keycloaks index-page, but the administration link looks like this:
instead of
```
here is the configuration I tried:
apache2:
```
...
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
<Location /keycloak/ >
RequestHeader set X-Forwarded-Prefix "keycloak"
ProxyPass https:// keycloak :8443/
ProxyPassReverse https://keycloak:8443/
</Location>
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
<Location /keycloak/ >
RequestHeader set X-Forwarded-Prefix "keycloak"
ProxyPass https:// keycloak :8443/
ProxyPassReverse https://keycloak:8443/
</Location>
...
```
keycloak.conf
```
# Hostname for the Keycloak server.
hostname= apache2
# host name to access the web admin. Make sure this is not reachable over the internet!
hostname-admin=apache2
# use this if a reverse proxy is used to access the keycloak server and the reverse-proxy does not map the root-path
# to keycloak.
# example: The keycloak is reachable on its own server with https://localhost:8443/ but the reverse proxy makes the
# keycloak available under https://dvdv2/keycloak in this case set the hostname-path variable to "keycloak"
hostname-path=/keycloak
hostname-port=10443
hostname= apache2
# host name to access the web admin. Make sure this is not reachable over the internet!
hostname-admin=apache2
# use this if a reverse proxy is used to access the keycloak server and the reverse-proxy does not map the root-path
# to keycloak.
# example: The keycloak is reachable on its own server with https://localhost:8443/ but the reverse proxy makes the
# keycloak available under https://dvdv2/keycloak in this case set the hostname-path variable to "keycloak"
hostname-path=/keycloak
hostname-port=10443
```
what exactly am I doing wrong?
Pascal Knüppel
Jan 11, 2023, 8:33:42 AM1/11/23
to Keycloak User
For all who are interested. This is simply not supported by keycloak in its current version. I opened an issue accordingly: https://github.com/keycloak/keycloak/issues/16348
gilles.etc...@gmail.com
Jan 11, 2023, 10:41:47 AM1/11/23
to Keycloak User
Hello,
I am intrigued by your problem
In our case, we use a different approach (and another reverse proxy nginx or haproxy) :
In our case, we use a different approach (and another reverse proxy nginx or haproxy) :
1 - our reverse proxy and keycloak listen to the same path /test/auth and the RP does not rewrite the path
=> is it possible in your apache conf to use something like : (I am not used to apache)
<Location /keycloak/ >
ProxyPass https://keycloak :8443/keycloak/
ProxyPassReverse https://keycloak:8443/keycloak/
</Location>
=> is it possible in your apache conf to use something like : (I am not used to apache)
<Location /keycloak/ >
ProxyPass https://keycloak :8443/keycloak/
ProxyPassReverse https://keycloak:8443/keycloak/
</Location>
2 - in KC, we use another configuration instead of hostname-path :
http-relative-path=/test/auth
(it is a build conf so, do not use --optimized in container mode with the default KC image):
(it is a build conf so, do not use --optimized in container mode with the default KC image):
Regards,
Gilles ETCHEPAREBORDE
Pietro Braghieri
Jan 12, 2023, 8:09:49 AM1/12/23
to Keycloak User
If may be useful,
--proxy=edge --hostname-url= https://apache2:10443/keycloak --hostname-admin-url= https://apache2:10443/keycloak
Pietro
Reply all
Reply to author
Forward
0 new messages