Unwanted Loadbalancer redirection
139 views
Skip to first unread message
Meissa M'baye Sakho
Jun 19, 2025, 4:26:07 AM6/19/25
to Keycloak User
Hi all,
I'm facing an issue while trying to access the admin console from the load balancer that I've configured.
I'm deploying Keycloak 26.2.5 on AWS EC2(VM mode then).
I've configured an ALB loadbalancer.
The issue seems to be related to the hostname configuration.
Below is my keycloak.conf
db=postgres
db-username=rhbk_user
db-password=rhbk_password
db-url-host=rhbk.cjcwi4qmgvnp.eu-west-2.rds.amazonaws.com
db-url-database=rhbkdb
db-url-port=5432
https-certificate-file=/opt/rhbk-26.2.5/conf/dev-auth.tme.net.sky.crt
https-certificate-key-file=/opt/rhbk-26.2.5/conf/keycloak_dev4.key
https-port=8443
log=console,file
log-file-level=info
hostname=https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com
#hostname=10.38.154.233
When I try to access the admin console via
https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com
or
https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com/admin/master/console
I'm always being redirected to
https://10.38.154.233/admin and it does not work.
I've tried to set the hostname-strict to false by enabling the http and it worked.
But it can't be applied on https.
Is there a way to get rid of this redirection?
I'm facing an issue while trying to access the admin console from the load balancer that I've configured.
I'm deploying Keycloak 26.2.5 on AWS EC2(VM mode then).
I've configured an ALB loadbalancer.
The issue seems to be related to the hostname configuration.
Below is my keycloak.conf
db=postgres
db-username=rhbk_user
db-password=rhbk_password
db-url-host=rhbk.cjcwi4qmgvnp.eu-west-2.rds.amazonaws.com
db-url-database=rhbkdb
db-url-port=5432
https-certificate-file=/opt/rhbk-26.2.5/conf/dev-auth.tme.net.sky.crt
https-certificate-key-file=/opt/rhbk-26.2.5/conf/keycloak_dev4.key
https-port=8443
log=console,file
log-file-level=info
hostname=https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com
#hostname=10.38.154.233
When I try to access the admin console via
https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com
or
https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com/admin/master/console
I'm always being redirected to
https://10.38.154.233/admin and it does not work.
I've tried to set the hostname-strict to false by enabling the http and it worked.
But it can't be applied on https.
Is there a way to get rid of this redirection?
-
David Cook
Jun 19, 2025, 8:19:50 PM6/19/25
to Meissa M'baye Sakho, Keycloak User
Hey Meissa,
I'm running Keycloak in a similar setup, and it's working for me.
My tip is to remove the "https://" from the hostname and to add the following:
proxy-headers=xforwarded
I can't 100% recall for sure, but I think I had a similar redirect issue when I had "https://" in the hostname behind a load-balanced setup. It'll still use HTTPS. But in a proxied setup, I think it generates URLs like "https://https://blahblah" and I think that causes the issue.
Anyway, try removing "https://" from the start of the hostname in keycloak.conf and add that "proxy-headers" config. It should sort it for you I think.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
-----Original Message-----
From: 'Meissa M'baye Sakho' via Keycloak User <keyclo...@googlegroups.com>
Sent: Thursday, 19 June 2025 6:26 PM
To: Keycloak User <keyclo...@googlegroups.com>
Subject: [keycloak-user] Unwanted Loadbalancer redirection
Hi all,
I'm facing an issue while trying to access the admin console from the load balancer that I've configured.
I'm deploying Keycloak 26.2.5 on AWS EC2(VM mode then).
I've configured an ALB loadbalancer.
The issue seems to be related to the hostname configuration.
Below is my keycloak.conf
db=postgres
db-username=rhbk_user
db-password=rhbk_password
db-url-host=rhbk.cjcwi4qmgvnp.eu-west-2.rds.amazonaws.com <http://rhbk.cjcwi4qmgvnp.eu-west-2.rds.amazonaws.com>
Principal Architect
Red Hat EMEA <https://www.redhat.com/>
msa...@redhat.com <mailto:msa...@redhat.com>
+33695597778
<https://www.redhat.com/>
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com <mailto:keycloak-use...@googlegroups.com> .
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/CAF83W6%2BwdfhkL5Qiuk0YRy1iO37EoFep%3Dw_Yz9HJvW6d_HFEgg%40mail.gmail.com <https://groups.google.com/d/msgid/keycloak-user/CAF83W6%2BwdfhkL5Qiuk0YRy1iO37EoFep%3Dw_Yz9HJvW6d_HFEgg%40mail.gmail.com?utm_medium=email&utm_source=footer> .
I'm running Keycloak in a similar setup, and it's working for me.
My tip is to remove the "https://" from the hostname and to add the following:
proxy-headers=xforwarded
I can't 100% recall for sure, but I think I had a similar redirect issue when I had "https://" in the hostname behind a load-balanced setup. It'll still use HTTPS. But in a proxied setup, I think it generates URLs like "https://https://blahblah" and I think that causes the issue.
Anyway, try removing "https://" from the start of the hostname in keycloak.conf and add that "proxy-headers" config. It should sort it for you I think.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
-----Original Message-----
From: 'Meissa M'baye Sakho' via Keycloak User <keyclo...@googlegroups.com>
Sent: Thursday, 19 June 2025 6:26 PM
To: Keycloak User <keyclo...@googlegroups.com>
Subject: [keycloak-user] Unwanted Loadbalancer redirection
Hi all,
I'm facing an issue while trying to access the admin console from the load balancer that I've configured.
I'm deploying Keycloak 26.2.5 on AWS EC2(VM mode then).
I've configured an ALB loadbalancer.
The issue seems to be related to the hostname configuration.
Below is my keycloak.conf
db=postgres
db-username=rhbk_user
db-password=rhbk_password
db-url-database=rhbkdb
db-url-port=5432
https-certificate-file=/opt/rhbk-26.2.5/conf/dev-auth.tme.net.sky.crt
https-certificate-key-file=/opt/rhbk-26.2.5/conf/keycloak_dev4.key
https-port=8443
log=console,file
log-file-level=info
hostname=https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com
#hostname=10.38.154.233
When I try to access the admin console via https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com
or
https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com/admin/master/console
I'm always being redirected to
https://10.38.154.233/admin and it does not work.
I've tried to set the hostname-strict to false by enabling the http and it worked.
But it can't be applied on https.
Is there a way to get rid of this redirection?
-
Meissa Sakho, RHCA <https://rhtapps.redhat.com/verify?certId=130-083-785> , AWS SAA <https://www.credly.com/badges/e34855dd-c1d2-424a-8856-e9860b08e54a/public_url>
db-url-port=5432
https-certificate-file=/opt/rhbk-26.2.5/conf/dev-auth.tme.net.sky.crt
https-certificate-key-file=/opt/rhbk-26.2.5/conf/keycloak_dev4.key
https-port=8443
log=console,file
log-file-level=info
hostname=https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com
#hostname=10.38.154.233
When I try to access the admin console via https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com
or
https://internal-rhbkLB-20223877.eu-west-2.elb.amazonaws.com/admin/master/console
I'm always being redirected to
https://10.38.154.233/admin and it does not work.
I've tried to set the hostname-strict to false by enabling the http and it worked.
But it can't be applied on https.
Is there a way to get rid of this redirection?
-
Principal Architect
Red Hat EMEA <https://www.redhat.com/>
msa...@redhat.com <mailto:msa...@redhat.com>
+33695597778
<https://www.redhat.com/>
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com <mailto:keycloak-use...@googlegroups.com> .
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/CAF83W6%2BwdfhkL5Qiuk0YRy1iO37EoFep%3Dw_Yz9HJvW6d_HFEgg%40mail.gmail.com <https://groups.google.com/d/msgid/keycloak-user/CAF83W6%2BwdfhkL5Qiuk0YRy1iO37EoFep%3Dw_Yz9HJvW6d_HFEgg%40mail.gmail.com?utm_medium=email&utm_source=footer> .
Meissa M'baye Sakho
Jun 20, 2025, 6:07:06 AM6/20/25
to David Cook, Keycloak User
David,
Did you set the hostname value to the loadbalancer dns or the machine itself.
Thanks
-
-
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/025501dbe178%24ffe2cb60%24ffa86220%24%40prosentient.com.au.
David Cook
Jun 22, 2025, 11:24:36 PM6/22/25
to Meissa M'baye Sakho, Keycloak User
Hey Meissa,
Technically, we have our own custom DNS entry, which is a CNAME to the load balancer DNS. I used that custom DNS entry.
Since Keycloak uses it for its own self-generated URLs, it needs to be the URL that people accessing it via the Internet use.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Reply all
Reply to author
Forward
0 new messages