1 Reply Latest reply on Aug 23, 2019 11:26 AM by cweiler

    Keycloak8/Wildfly17 behind nginx reverse-proxy: standalone.xml config questions?

    pgnd42

      I'm setting up a 1st keycloak v8/head instance.

      It bundles WildFly 17 et al

          egrep -i "<wildfly\.[a-z].*\.version>" kerycloak/pom.xml
              <wildfly.version>17.0.1.Final</wildfly.version>
              <wildfly.build-tools.version>1.2.10.Final</wildfly.build-tools.version>
              <wildfly.core.version>9.0.2.Final</wildfly.core.version>
              <wildfly.common.version>1.5.1.Final</wildfly.common.version>
              <wildfly.plugin.version>1.1.0.Final</wildfly.plugin.version>

          jboss-cli>
            version
              JBoss Admin Command-line Interface
              JBOSS_HOME: /opt/keycloak
              Release: 9.0.2.Final
              Product: Keycloak 8.0.0-SNAPSHOT
              JAVA_HOME: /etc/alternatives/java_sdk_openjdk
              java.version: 12.0.2
              java.vm.vendor: Oracle Corporation
              java.vm.version: 12.0.2+9-suse-lp151.40.1-x8664
              os.name: Linux
              os.version: 5.2.9-25.g71d4424-default


      It's up & running.

      Both the admin & mgmt UIs are *directly* accessible &functional via http://, given

          jboss.http.port=8080
          jboss.management.http.port=9990

      at,

          http://10.0.0.1:8080
          http://10.0.0.1:9990


      respectively.

      So far, so good.

      I'm now trying to get it operating behind an SSL terminating Nginx reverse-proxy.

      I haven't found a good just-reverse-proxy example/doc yet
      Closest so far, reading at

      > Using Wildly as a static load balancer
      http://docs.wildfly.org/17/Admin_Guide.html#using-wildly-as-a-static-load-balancer

      which is for a load-balanced config, using ajp.

      Atm, i'm interested in a non-load-balanced config, and am unclear how to properly modify that config.

      My GOAL is to have the front-end, terminator respond, for keycloak, at

      > https://my.example.com:10001/keycloak

      Based on the referenced config above, I've got, atm,

          /subsystem=undertow/configuration=handler/reverse-proxy=my-handler:add()
          /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-host1/:add(host=my.example.com, port=10001)
          /subsystem=undertow/configuration=handler/reverse-proxy=my-handler/host=host1:add(outbound-socket-binding=remote-host1, scheme=ajp, instance-id=myroute, path=/keycloak)
          /subsystem=undertow/server=default-server/host=default-host/location=\/keycloak:add(handler=my-handler)

      but I'm not getting past the 1st page of the keycloak app, to its login page -- when accessing via the terminator. yet.  So, some changes req'd.

      With NO loadbalancing, what "scheme=" attribute is used?  ajp isn't still appropriate, is it?

      Also, are the

          ... path=/keycloak ...
          ... location=\/keycloak ...


      path specs correct here?

        • 1. Re: Keycloak8/Wildfly17 behind nginx reverse-proxy: standalone.xml config questions?
          cweiler

          Hi,

           

          I will share my apache config, maybe you can convert it to nginx...

           

          We've made no changes on wildfly setup besides enabling ajp, but you can use http without problems:

            ServerName sso.domain.com
            ProxyPreserveHost On
            RequestHeader set X-Forwarded-Proto "https"
            RequestHeader set X-Forwarded-Port "443"
            ProxyPass / ajp://localhost:9009/
            ProxyPassReverse / ajp://localhost:9009/

           

          We don't use management interface on keycloak, only on applications running on wildfly, and we have a dedicated vhost config:

          ServerName app-mgmt.domain.com
          RequestHeader set X-Forwarded-Proto "https"
          RequestHeader set X-Forwarded-Port "443"
          RequestHeader unset Origin
          ProxyPreserveHost On
          ProxyPassReverseCookieDomain localhost app-mgmt.domain.com
          ProxyPass / http://localhost:9990/
          ProxyPassReverse / http://localhost:9990/

           

          In docker we setup this also (copied from keycloak docker official image):

          /subsystem=undertow/server=default-server/http-listener=default: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})
          /subsystem=undertow/server=default-server/https-listener=https: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})

           

          And, we are facing problems reported here: Authentication required on Management Console

           

          ajp isn't still appropriate, is it?

          We have same question.