Keycloak Setup for Production

In this guide I present the extra steps I had to take to prepare Keycloak to run in production. Before following it we need to follow the previous two guides:

Ok, now that we have Keycloak installed and running on top of MySQL, we would like also to:

Enable HTTPS/SSL with a Reverse Proxy
Run Keycloak as a service

Setting up a Proxy

Beyond the proxy itself, there are a few things we need to configure on the Keycloak side of things. Our proxy is forwarding requests via the HTTP protocol, so we need to configure Keycloak to pull the client’s IP address from the X-Forwarded-For header rather than from the network packet. To do this, we open up the profile configuration file standalone.xml and look for the urn:jboss:domain:undertow:3.0 XML block. It should now look like the following:

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
   <buffer-cache name="default"/>
   <server name="default-server">
      <ajp-listener name="ajp" socket-binding="ajp"/>
      <http-listener name="default" socket-binding="http" redirect-socket="https"
          proxy-address-forwarding="true"/>
      ...
   </server>
   ...
</subsystem>

We've added the proxy-address-forwarding attribute to the http-listener element and set its value to true.

Enable HTTPS/SSL with a Reverse Proxy

Assuming that your reverse proxy doesn’t use port 8443 for SSL you also need to configure what port HTTPS traffic is redirected to.

References

https://keycloak.gitbooks.io/documentation/server_installation/topics/clustering/load-balancer.html

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Keycloak Setup for Production

Setting up a Proxy

Enable HTTPS/SSL with a Reverse Proxy

References

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally