Documentation updated: Hosting from a sub path section added (#14505)
* Hosting from a sub path section added * Update as per PR comments * updates # 2 as per suggestions * details link removed * includedOptions section updated
This commit is contained in:
parent
36a1ce6a1a
commit
91a58ed1b9
1 changed files with 8 additions and 1 deletions
|
@ -6,7 +6,7 @@
|
||||||
<@tmpl.guide
|
<@tmpl.guide
|
||||||
title="Using a reverse proxy"
|
title="Using a reverse proxy"
|
||||||
summary="Learn how to configure Keycloak together with a reverse proxy, api gateway, or load balancer."
|
summary="Learn how to configure Keycloak together with a reverse proxy, api gateway, or load balancer."
|
||||||
includedOptions="proxy proxy-*">
|
includedOptions="proxy proxy-* hostname-path hostname-url http-relative-path">
|
||||||
|
|
||||||
Distributed environments frequently require the use of a reverse proxy.
|
Distributed environments frequently require the use of a reverse proxy.
|
||||||
For Keycloak, your choice of proxy modes depends on the TLS termination in your environment.
|
For Keycloak, your choice of proxy modes depends on the TLS termination in your environment.
|
||||||
|
@ -43,6 +43,13 @@ Take extra precautions to ensure that the X-Forwarded-For header is set by your
|
||||||
If this header is incorrectly configured, rogue clients can set this header and trick Keycloak into thinking the client is connected from a different IP address than the actual address.
|
If this header is incorrectly configured, rogue clients can set this header and trick Keycloak into thinking the client is connected from a different IP address than the actual address.
|
||||||
This precaution can be more critical if you do any deny or allow listing of IP addresses.
|
This precaution can be more critical if you do any deny or allow listing of IP addresses.
|
||||||
|
|
||||||
|
== Different context-path on reverse proxy
|
||||||
|
|
||||||
|
Keycloak assumes it is exposed through the reverse proxy under the same context path as Keycloak is configured for. By default Keycloak is exposed through the root (`/`), which means it expects to be exposed through the reverse proxy on `/` as well.
|
||||||
|
You can use `hostname-path` or `hostname-url` in these cases, for example using `--hostname-path=/auth` if Keycloak is exposed through the reverse proxy on `/auth`.
|
||||||
|
|
||||||
|
Alternatively you can also change the context path of Keycloak itself to match the context path for the reverse proxy using the `http-relative-path` option, which will change the context-path of Keycloak itself to match the context path used by the reverse proxy.
|
||||||
|
|
||||||
== Trust the proxy to set hostname
|
== Trust the proxy to set hostname
|
||||||
|
|
||||||
By default, Keycloak needs to know under which hostname it will be called. If your reverse proxy is configured to check for the correct hostname, you can set Keycloak to accept any hostname.
|
By default, Keycloak needs to know under which hostname it will be called. If your reverse proxy is configured to check for the correct hostname, you can set Keycloak to accept any hostname.
|
||||||
|
|
Loading…
Reference in a new issue