Enhance documentation regarding edge termination (#30170)

Closes #29665

Signed-off-by: Michael Warnecke <WarneckeMichael@web.de>
This commit is contained in:
MWarnecke 2024-06-10 09:47:20 +02:00 committed by GitHub
parent d29dbf0f7a
commit 0c6558612f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 17 additions and 8 deletions

View file

@ -29,6 +29,8 @@ If this header is incorrectly configured, rogue clients can set this header and
NOTE: When using the `xforwarded` setting, the `X-Forwarded-Port` takes precedence over any port included in the `X-Forwarded-Host`.
NOTE: If the TLS connection is terminated at the reverse proxy (edge termination), enabling HTTP through the http-enabled setting is required.
== Proxy modes
NOTE: The support for setting proxy modes is deprecated and will be removed in a future {project_name} release. Consider configuring accepted reverse proxy headers instead as described in the chapter above. For migration instructions consult the https://www.keycloak.org/docs/latest/upgrading/index.html#deprecated-proxy-option[Upgrading Guide].

View file

@ -1,6 +1,7 @@
package org.keycloak.config;
import java.util.Set;
import java.util.List;
import java.util.TreeSet;
public class ProxyOptions {
@ -39,7 +40,7 @@ public class ProxyOptions {
.category(OptionCategory.PROXY)
.description("The proxy address forwarding mode if the server is behind a reverse proxy.")
.defaultValue(Mode.none)
.deprecated(Set.of(PROXY_HEADERS.getKey()))
.deprecated(new TreeSet<>(List.of(PROXY_HEADERS.getKey(), HttpOptions.HTTP_ENABLED.getKey())))
.build();
public static final Option<Boolean> PROXY_FORWARDED_HOST = new OptionBuilder<>("proxy-forwarded-host", Boolean.class)

View file

@ -236,7 +236,8 @@ Proxy:
--proxy <mode> DEPRECATED. The proxy address forwarding mode if the server is behind a
reverse proxy. Possible values are: none, edge, reencrypt, passthrough.
Default: none. Use the following option instead: proxy-headers.
Default: none. Use the following options instead: http-enabled,
proxy-headers.
--proxy-headers <headers>
The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence

View file

@ -312,7 +312,8 @@ Proxy:
--proxy <mode> DEPRECATED. The proxy address forwarding mode if the server is behind a
reverse proxy. Possible values are: none, edge, reencrypt, passthrough.
Default: none. Use the following option instead: proxy-headers.
Default: none. Use the following options instead: http-enabled,
proxy-headers.
--proxy-headers <headers>
The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence

View file

@ -237,7 +237,8 @@ Proxy:
--proxy <mode> DEPRECATED. The proxy address forwarding mode if the server is behind a
reverse proxy. Possible values are: none, edge, reencrypt, passthrough.
Default: none. Use the following option instead: proxy-headers.
Default: none. Use the following options instead: http-enabled,
proxy-headers.
--proxy-headers <headers>
The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence

View file

@ -313,7 +313,8 @@ Proxy:
--proxy <mode> DEPRECATED. The proxy address forwarding mode if the server is behind a
reverse proxy. Possible values are: none, edge, reencrypt, passthrough.
Default: none. Use the following option instead: proxy-headers.
Default: none. Use the following options instead: http-enabled,
proxy-headers.
--proxy-headers <headers>
The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence

View file

@ -189,7 +189,8 @@ Proxy:
--proxy <mode> DEPRECATED. The proxy address forwarding mode if the server is behind a
reverse proxy. Possible values are: none, edge, reencrypt, passthrough.
Default: none. Use the following option instead: proxy-headers.
Default: none. Use the following options instead: http-enabled,
proxy-headers.
--proxy-headers <headers>
The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence

View file

@ -265,7 +265,8 @@ Proxy:
--proxy <mode> DEPRECATED. The proxy address forwarding mode if the server is behind a
reverse proxy. Possible values are: none, edge, reencrypt, passthrough.
Default: none. Use the following option instead: proxy-headers.
Default: none. Use the following options instead: http-enabled,
proxy-headers.
--proxy-headers <headers>
The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence