libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Documentation updated: Hosting from a sub path section added (#14505)

Browse source 
* Hosting from a sub path section added

* Update as per PR comments

* updates # 2 as per suggestions

* details link removed

* includedOptions section updated
This commit is contained in:
Muhammad Ummar Iqbal 2022-10-05 22:52:05 +05:00 committed by GitHub
parent 36a1ce6a1a
commit 91a58ed1b9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
docs/guides/src/main/server/reverseproxy.adoc
View file

@ -6,7 +6,7 @@
<@tmpl.guide
title="Using a reverse proxy"
summary="Learn how to configure Keycloak together with a reverse proxy, api gateway, or load balancer."
includedOptions="proxy proxy-*">
includedOptions="proxy proxy-* hostname-path hostname-url http-relative-path">
Distributed environments frequently require the use of a reverse proxy.
For Keycloak, your choice of proxy modes depends on the TLS termination in your environment.
@ -43,6 +43,13 @@ Take extra precautions to ensure that the X-Forwarded-For header is set by your
If this header is incorrectly configured, rogue clients can set this header and trick Keycloak into thinking the client is connected from a different IP address than the actual address.
This precaution can be more critical if you do any deny or allow listing of IP addresses.
== Different context-path on reverse proxy
Keycloak assumes it is exposed through the reverse proxy under the same context path as Keycloak is configured for. By default Keycloak is exposed through the root (`/`), which means it expects to be exposed through the reverse proxy on `/` as well.
You can use `hostname-path` or `hostname-url` in these cases, for example using `--hostname-path=/auth` if Keycloak is exposed through the reverse proxy on `/auth`.
Alternatively you can also change the context path of Keycloak itself to match the context path for the reverse proxy using the `http-relative-path` option, which will change the context-path of Keycloak itself to match the context path used by the reverse proxy.
== Trust the proxy to set hostname
By default, Keycloak needs to know under which hostname it will be called. If your reverse proxy is configured to check for the correct hostname, you can set Keycloak to accept any hostname.