1 Reply Latest reply on Apr 18, 2018 8:36 AM by robert-jboss

    Redirect to https

    robert-jboss
    robert-jboss Apr 10, 2018 6:01 AM

      I'm running KeyCloak 3.4.3, based on WildFly 11.0 I think, and I would like to redirect http calls to https.

      I'm running in Domain mode with 2 server instances.

      WildFly is currently available on both port 8080 for http, and port 8443 for https.

      The http-listener in both the auth-server-clustered and load-balancer profile was already configured to have redirect-socket="https".

       

      I've tried two ways to redirect the calls.

      1) transport-guarantee set to CONFIDENTIAL in module keycloak-server-subsystem web.xml

      2) rewrite rule for the load balancer

       

      1)

      After setting the transport-guarantee to CONFIDENTIAL I receive the following error in the server instance server.log

      UT010053: No confidential port is available to redirect the current request.

       

      https listeners are available for the server instances and load balancer, so I don't understand this error.

       

      2)

      I have added a filter-ref and rewrite in the load balancer profile.

      Unfortunately it has no effect.

       

                  <subsystem xmlns="urn:jboss:domain:undertow:4.0">

                      <buffer-cache name="default"/>

                      <server name="default-server">

                          <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>

                          <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

                          <http-listener name="management" socket-binding="mcmp-management" enable-http2="true"/>

                          <host name="default-host" alias="localhost">

                              <filter-ref name="http-to-https" predicate="equals(%p,8080)"/>

                              <filter-ref name="load-balancer"/>

                          </host>

                      </server>

                      <servlet-container name="default"/>

                      <filters>

                          <rewrite name="http-to-https" target="https://%A:8443%U" redirect="true"/>

                          <mod-cluster name="load-balancer" management-socket-binding="mcmp-management" advertise-socket-binding="modcluster" enable-http2="true" max-retries="3"/>

                      </filters>

                  </subsystem>

       

       

      *)

      Because the above attempts didn't work I tried to just remove the http listeners for 8080.

      I deleted them in the load balancer and auth-server-clustered profile and in the socket-binding-groups.

      After I did this Keycloak/WildFly no longer starts.

      "Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"]