parent
db0b36460f
commit
99e7208f36
2 changed files with 14 additions and 22 deletions
|
@ -3,13 +3,14 @@
|
|||
<#import "/templates/options.adoc" as opts>
|
||||
|
||||
<@tmpl.guide
|
||||
title="Configuring Keycloak to run behind a reverse proxy"
|
||||
summary="Understand how to configure Keycloak when using a reverse proxy"
|
||||
title="Configuring a reverse proxy"
|
||||
summary="Learn how to configure Keycloak together with a reverse proxy, api gateway or load balancer."
|
||||
priority=20
|
||||
includedOptions="proxy proxy.*">
|
||||
|
||||
It is pretty common nowadays to use a reverse proxy in distributed environments. If you want to use Keycloak together with such a proxy, you can use different proxy modes depending on the proxy and TLS termination in your specific environment:
|
||||
It is pretty common nowadays to use a reverse proxy in distributed environments. If you want to use Keycloak together with such a proxy, you can use different proxy modes depending on the TLS termination in your specific environment:
|
||||
|
||||
== Available proxy modes
|
||||
The `none` mode disables proxy support. It is the default mode.
|
||||
|
||||
The `edge` mode enables communication through HTTP between the proxy and Keycloak. This mode is suitable for deployments with a highly secure internal network where the reverse proxy keeps a secure connection (HTTP over TLS) with clients while communicating with Keycloak using HTTP.
|
||||
|
@ -18,22 +19,20 @@ The `reencrypt` mode requires communication through HTTPS between the proxy and
|
|||
|
||||
The `passthrough` mode enables communication through HTTP or HTTPS between the proxy and Keycloak. This mode is suitable for deployments where the reverse proxy is not terminating TLS, but only forwarding the requests to the Keycloak server so that secure connections between the server and clients are based on the keys and certificates used by the Keycloak server itself.
|
||||
|
||||
Selecting the reverse proxy mode is done at runtime via:
|
||||
== Configure the proxy mode in Keycloak
|
||||
To select the proxy mode, run:
|
||||
|
||||
<@kc.all parameters="--proxy <mode>"/>
|
||||
<@kc.start parameters="--proxy <mode>"/>
|
||||
|
||||
Please make sure your reverse proxy is configured correctly. To do so, please:
|
||||
== Configure the reverse proxy
|
||||
Make sure your reverse proxy is configured correctly. To do so, please:
|
||||
|
||||
* Configure your reverse proxy to properly set X-Forwarded-For and X-Forwarded-Proto HTTP headers.
|
||||
* Properly set X-Forwarded-For and X-Forwarded-Proto HTTP headers.
|
||||
|
||||
* Configure your reverse proxy to preserve the original 'Host' HTTP header.
|
||||
* Preserve the original 'Host' HTTP header.
|
||||
|
||||
Please consult the documentation of your specific reverse proxy on how to set these headers.
|
||||
Please consult the documentation of your reverse proxy on how to set these headers.
|
||||
|
||||
_Note_: Take extra precautions to ensure that the X-Forwarded-For header is set by your reverse proxy. If it is not configured correctly, rogue clients can set this header themselves and trick Keycloak into thinking the client is connecting from a different IP address than it actually does. This may become really important if you are doing any black or white listing of IP addresses.
|
||||
|
||||
Valid options for the proxy mode include:
|
||||
|
||||
<@opts.expectedValues option="proxy"/>
|
||||
Take extra precautions to ensure that the X-Forwarded-For header is set by your reverse proxy. If it is not configured correctly, rogue clients can set this header themselves and trick Keycloak into thinking the client is connecting from a different IP address than it actually does. This may become really important if you are doing any black or white listing of IP addresses.
|
||||
|
||||
</@tmpl.guide>
|
|
@ -11,10 +11,3 @@ bin/kc.[sh|bat] build ${parameters}
|
|||
bin/kc.[sh|bat] start ${parameters}
|
||||
----
|
||||
</#macro>
|
||||
|
||||
<#macro all parameters>
|
||||
[source,bash]
|
||||
----
|
||||
bin/kc.[sh|bat] [build|start|start-dev] ${parameters}
|
||||
----
|
||||
</#macro>
|
Loading…
Reference in a new issue