Add instructions to configure a reverse proxy with KC
This commit is contained in:
Stian Thorgersen
parent
37bfb2c594
commit
28adc28a56
1 changed files with 160 additions and 131 deletions
|
|
@ -337,9 +337,17 @@ keycloak-war-dist-all-1.0-beta-3-SNAPSHOT/
|
||||||
<warning>
|
<warning>
|
||||||
<para>
|
<para>
|
||||||
Keycloak is not set up by default to handle SSL/HTTPS in either the
|
Keycloak is not set up by default to handle SSL/HTTPS in either the
|
||||||
war distribution or appliance. It is highly recommended that you enable it!
|
war distribution or appliance. It is highly recommended that you either enable SSL on the Keycloak server
|
||||||
|
itself or on a reverse proxy in front of the Keycloak server.
|
||||||
</para>
|
</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
First enable SSL on Keycloak or on a reverse proxy in front of Keycloak. Then configure the Keycloak Server to enforce HTTPS connections.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Enable SSL on Keycloak</title>
|
||||||
<para>
|
<para>
|
||||||
The following things need to be done
|
The following things need to be done
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
|
@ -352,10 +360,6 @@ keycloak-war-dist-all-1.0-beta-3-SNAPSHOT/
|
||||||
<listitem>
|
<listitem>
|
||||||
Enable JBoss or Wildfly to use this certificate and turn on SSL/HTTPS.
|
Enable JBoss or Wildfly to use this certificate and turn on SSL/HTTPS.
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
|
||||||
Configure the Keycloak Server to enforce HTTPS connections.
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</para>
|
</para>
|
||||||
<section>
|
<section>
|
||||||
|
|
@ -373,8 +377,8 @@ keycloak-war-dist-all-1.0-beta-3-SNAPSHOT/
|
||||||
to do with the <literal>keytool</literal> utility that comes with the Java jdk.
|
to do with the <literal>keytool</literal> utility that comes with the Java jdk.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
<programlisting>
|
<programlisting>
|
||||||
$ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
|
$ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
|
||||||
Enter keystore password: secret
|
Enter keystore password: secret
|
||||||
Re-enter new password: secret
|
Re-enter new password: secret
|
||||||
What is your first and last name?
|
What is your first and last name?
|
||||||
|
|
@ -391,7 +395,7 @@ $ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity
|
||||||
[Unknown]: US
|
[Unknown]: US
|
||||||
Is CN=localhost, OU=Keycloak, O=Test, L=Westford, ST=MA, C=US correct?
|
Is CN=localhost, OU=Keycloak, O=Test, L=Westford, ST=MA, C=US correct?
|
||||||
[no]: yes
|
[no]: yes
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
You should answer the <literal>What is your first and last name?</literal> question with
|
You should answer the <literal>What is your first and last name?</literal> question with
|
||||||
|
|
@ -407,44 +411,44 @@ $ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
The first thing to do is generate a Certificate Request:
|
The first thing to do is generate a Certificate Request:
|
||||||
<programlisting>
|
<programlisting>
|
||||||
$ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq
|
$ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Where <literal>yourdomain</literal> is a DNS name for which this certificate is generated for.
|
Where <literal>yourdomain</literal> is a DNS name for which this certificate is generated for.
|
||||||
Keytool generates the request:
|
Keytool generates the request:
|
||||||
<programlisting>
|
<programlisting>
|
||||||
-----BEGIN NEW CERTIFICATE REQUEST-----
|
-----BEGIN NEW CERTIFICATE REQUEST-----
|
||||||
MIIC2jCCAcICAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMREwDwYDVQQHEwhXZXN0Zm9y
|
MIIC2jCCAcICAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMREwDwYDVQQHEwhXZXN0Zm9y
|
||||||
ZDEQMA4GA1UEChMHUmVkIEhhdDEQMA4GA1UECxMHUmVkIEhhdDESMBAGA1UEAxMJbG9jYWxob3N0
|
ZDEQMA4GA1UEChMHUmVkIEhhdDEQMA4GA1UECxMHUmVkIEhhdDESMBAGA1UEAxMJbG9jYWxob3N0
|
||||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr7kck2TaavlEOGbcpi9c0rncY4HhdzmY
|
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr7kck2TaavlEOGbcpi9c0rncY4HhdzmY
|
||||||
Ax2nZfq1eZEaIPqI5aTxwQZzzLDK9qbeAd8Ji79HzSqnRDxNYaZu7mAYhFKHgixsolE3o5Yfzbw1
|
Ax2nZfq1eZEaIPqI5aTxwQZzzLDK9qbeAd8Ji79HzSqnRDxNYaZu7mAYhFKHgixsolE3o5Yfzbw1
|
||||||
29Rvy+eUVe+WZxv5oo9wolVVpdSINIMEL2LaFhtX/c1dqiqYVpfnvFshZQaIg2nL8juzZcBjj4as
|
29Rvy+eUVe+WZxv5oo9wolVVpdSINIMEL2LaFhtX/c1dqiqYVpfnvFshZQaIg2nL8juzZcBjj4as
|
||||||
H98gIS7khql/dkZKsw9NLvyxgJvp7PaXurX29fNf3ihG+oFrL22oFyV54BWWxXCKU/GPn61EGZGw
|
H98gIS7khql/dkZKsw9NLvyxgJvp7PaXurX29fNf3ihG+oFrL22oFyV54BWWxXCKU/GPn61EGZGw
|
||||||
Ft2qSIGLdctpMD1aJR2bcnlhEjZKDksjQZoQ5YMXaAGkcYkG6QkgrocDE2YXDbi7GIdf9MegVJ35
|
Ft2qSIGLdctpMD1aJR2bcnlhEjZKDksjQZoQ5YMXaAGkcYkG6QkgrocDE2YXDbi7GIdf9MegVJ35
|
||||||
2DQMpwIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQUQwlZJBA+fjiDdiVzaO9vrE/i
|
2DQMpwIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQUQwlZJBA+fjiDdiVzaO9vrE/i
|
||||||
n2swDQYJKoZIhvcNAQELBQADggEBAC5FRvMkhal3q86tHPBYWBuTtmcSjs4qUm6V6f63frhveWHf
|
n2swDQYJKoZIhvcNAQELBQADggEBAC5FRvMkhal3q86tHPBYWBuTtmcSjs4qUm6V6f63frhveWHf
|
||||||
PzRrI1xH272XUIeBk0gtzWo0nNZnf0mMCtUBbHhhDcG82xolikfqibZijoQZCiGiedVjHJFtniDQ
|
PzRrI1xH272XUIeBk0gtzWo0nNZnf0mMCtUBbHhhDcG82xolikfqibZijoQZCiGiedVjHJFtniDQ
|
||||||
9bMDUOXEMQ7gHZg5q6mJfNG9MbMpQaUVEEFvfGEQQxbiFK7hRWU8S23/d80e8nExgQxdJWJ6vd0X
|
9bMDUOXEMQ7gHZg5q6mJfNG9MbMpQaUVEEFvfGEQQxbiFK7hRWU8S23/d80e8nExgQxdJWJ6vd0X
|
||||||
MzzFK6j4Dj55bJVuM7GFmfdNC52pNOD5vYe47Aqh8oajHX9XTycVtPXl45rrWAH33ftbrS8SrZ2S
|
MzzFK6j4Dj55bJVuM7GFmfdNC52pNOD5vYe47Aqh8oajHX9XTycVtPXl45rrWAH33ftbrS8SrZ2S
|
||||||
vqIFQeuLL3BaHwpl3t7j2lMWcK1p80laAxEASib/fAwrRHpLHBXRcq6uALUOZl4Alt8=
|
vqIFQeuLL3BaHwpl3t7j2lMWcK1p80laAxEASib/fAwrRHpLHBXRcq6uALUOZl4Alt8=
|
||||||
-----END NEW CERTIFICATE REQUEST-----
|
-----END NEW CERTIFICATE REQUEST-----
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Send this ca request to your CA. The CA will issue you a signed certificate and send it to you.
|
Send this ca request to your CA. The CA will issue you a signed certificate and send it to you.
|
||||||
Before you import your new cert, you must obtain and import the root certificate of the CA.
|
Before you import your new cert, you must obtain and import the root certificate of the CA.
|
||||||
You can download the cert from CA (ie.: root.crt) and import as follows:
|
You can download the cert from CA (ie.: root.crt) and import as follows:
|
||||||
<programlisting>
|
<programlisting>
|
||||||
$ keytool -import -keystore keycloak.jks -file root.crt -alias root
|
$ keytool -import -keystore keycloak.jks -file root.crt -alias root
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Last step is import your new CA generated certificate to your keystore:
|
Last step is import your new CA generated certificate to your keystore:
|
||||||
<programlisting>
|
<programlisting>
|
||||||
$ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificate.cer
|
$ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificate.cer
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
@ -464,12 +468,12 @@ $ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificat
|
||||||
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
|
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
|
||||||
</ssl>
|
</ssl>
|
||||||
</server-identities>
|
</server-identities>
|
||||||
</security-realm>]]></programlisting>
|
</security-realm>]]></programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Find the element <literal><server name="default-server"></literal> (it's a child element of <literal><subsystem xmlns="urn:jboss:domain:undertow:1.0"></literal>) and add:
|
Find the element <literal><server name="default-server"></literal> (it's a child element of <literal><subsystem xmlns="urn:jboss:domain:undertow:1.0"></literal>) and add:
|
||||||
<programlisting><![CDATA[<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
|
<programlisting><![CDATA[<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
|
||||||
]]></programlisting>
|
]]></programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Check the <ulink url="https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration">Wildfly Undertow</ulink> documentation for more information on fine tuning the socket connections.
|
Check the <ulink url="https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration">Wildfly Undertow</ulink> documentation for more information on fine tuning the socket connections.
|
||||||
|
|
@ -498,6 +502,30 @@ $ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificat
|
||||||
Check the <ulink url="https://docs.jboss.org/author/display/AS71/SSL+setup+guide">JBoss</ulink> documentation for more information on fine tuning the socket connections.
|
Check the <ulink url="https://docs.jboss.org/author/display/AS71/SSL+setup+guide">JBoss</ulink> documentation for more information on fine tuning the socket connections.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Enable SSL on a Reverse Proxy</title>
|
||||||
|
<para>
|
||||||
|
Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak.
|
||||||
|
It is important that you make sure the web server sets the <literal>X-Forwarded-For</literal> and
|
||||||
|
<literal>X-Forwarded-Proto</literal> headers on the requests made to Keycloak. Next you need to enable
|
||||||
|
<literal>proxy-address-forwarding</literal> on the Keycloak http connector. This is done by editing
|
||||||
|
<literal>standalone/configuration/standalone.xml</literal>.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
<programlisting><![CDATA[<subsystem xmlns="urn:jboss:domain:undertow:1.1">
|
||||||
|
...
|
||||||
|
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true"/>
|
||||||
|
...
|
||||||
|
</subsystem>
|
||||||
|
]]></programlisting>
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Check the <ulink url="https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration">WildFly</ulink> documentation for more information.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Enforce HTTPS For Server Connections</title>
|
<title>Enforce HTTPS For Server Connections</title>
|
||||||
<para>
|
<para>
|
||||||
|
|
@ -519,6 +547,7 @@ $ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificat
|
||||||
</web-app>]]></programlisting>
|
</web-app>]]></programlisting>
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Enforce HTTPS at Realm Level</title>
|
<title>Enforce HTTPS at Realm Level</title>
|
||||||
<para>
|
<para>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue