Add instructions to configure a reverse proxy with KC

2014-06-18 09:59:23 +01:00 · 2014-06-18 09:59:23 +01:00 · 28adc28a56
commit 28adc28a56
parent 37bfb2c594
1 changed files with 160 additions and 131 deletions
--- a/docbook/reference/en/en-US/modules/server-installation.xml
+++ b/docbook/reference/en/en-US/modules/server-installation.xml
@ -337,9 +337,17 @@ keycloak-war-dist-all-1.0-beta-3-SNAPSHOT/
            <warning>
                <para>
                    Keycloak is not set up by default to handle SSL/HTTPS in either the
-                    war distribution or appliance.  It is highly recommended that you enable it!
+                    war distribution or appliance.  It is highly recommended that you either enable SSL on the Keycloak server
+                    itself or on a reverse proxy in front of the Keycloak server.
                </para>
            </warning>
+
+            <para>
+                First enable SSL on Keycloak or on a reverse proxy in front of Keycloak. Then configure the Keycloak Server to enforce HTTPS connections.
+            </para>
+
+            <section>
+                <title>Enable SSL on Keycloak</title>
                <para>
                    The following things need to be done
                    <itemizedlist>
@ -352,10 +360,6 @@ keycloak-war-dist-all-1.0-beta-3-SNAPSHOT/
                        <listitem>
                            Enable JBoss or Wildfly to use this certificate and turn on SSL/HTTPS.
                        </listitem>
-
-                    <listitem>
-                        Configure the Keycloak Server to enforce HTTPS connections.
-                    </listitem>
                    </itemizedlist>
                </para>
                <section>
@ -498,6 +502,30 @@ $ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificat
                        Check the <ulink url="https://docs.jboss.org/author/display/AS71/SSL+setup+guide">JBoss</ulink> documentation for more information on fine tuning the socket connections.
                    </para>
                </section>
+            </section>
+
+            <section>
+                <title>Enable SSL on a Reverse Proxy</title>
+                <para>
+                    Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak.
+                    It is important that you make sure the web server sets the <literal>X-Forwarded-For</literal> and
+                    <literal>X-Forwarded-Proto</literal> headers on the requests made to Keycloak. Next you need to enable
+                    <literal>proxy-address-forwarding</literal> on the Keycloak http connector. This is done by editing
+                    <literal>standalone/configuration/standalone.xml</literal>.
+                </para>
+                <para>
+<programlisting><![CDATA[<subsystem xmlns="urn:jboss:domain:undertow:1.1">
+    ...
+    <http-listener name="default" socket-binding="http" proxy-address-forwarding="true"/>
+    ...
+</subsystem>
+]]></programlisting>
+                </para>
+                <para>
+                    Check the <ulink url="https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration">WildFly</ulink> documentation for more information.
+                </para>
+            </section>
+
            <section>
                <title>Enforce HTTPS For Server Connections</title>
                <para>
@ -519,6 +547,7 @@ $ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificat
 </web-app>]]></programlisting>
                </para>
            </section>
+
            <section>
                <title>Enforce HTTPS at Realm Level</title>
                <para>