-
Notifications
You must be signed in to change notification settings - Fork 58
Keycloak Setup for Production
In this guide I present the extra steps I had to take to prepare Keycloak to run in production. Before following it we need to follow the previous two guides:
Ok, now that we have Keycloak installed and running on top of MySQL, we would like also to:
- Enable HTTPS/SSL with a Reverse Proxy
- Run Keycloak as a service
Beyond the proxy itself, there are a few things we need to configure on the Keycloak side of things. Our proxy is forwarding requests via the HTTP protocol, so we need to configure Keycloak to pull the client’s IP address from the X-Forwarded-For header rather than from the network packet. To do this, we open up the profile configuration file standalone.xml and look for the urn:jboss:domain:undertow:3.0 XML block. It should now look like the following:
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https"
proxy-address-forwarding="true"/>
...
</server>
...
</subsystem>
We've added the proxy-address-forwarding attribute to the http-listener element and set its value to true.
Assuming that your reverse proxy doesn’t use port 8443 for SSL you also need to configure what port HTTPS traffic is redirected to.
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Add the redirect-socket attribute to the http-listener element. The value should be proxy-https which points to a socket binding you also need to define.
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets" default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group>