I configured mutual-ssl authentication on WF. That means that user coming to WF does SSL handshake allowing Keycloak to extract data from client certificate and map that data to an existing user at WF, and based on that authenticate the user.

Now, I need to configure reverse proxy in front of WF. I’m using Apache’s httpd.

The problem is that user’s browser now does SSL handshake with the reverse proxy server instead of WF and sends plain http request, disabling WF to map and authenticate the user.

Is there a proposed method to achieve this?

Can I configure some reverse proxy (maybe not httpd) to proxy requests on the transport layer?

Or should I somehow configure WF for this?

Maybe configure the proxy to be WFs client and do the authentication somehow?

Many thanks, Nikola