KEYCLOAK-8397 Remove deprecated proxy from docs
This commit is contained in:
parent
8cb975d273
commit
cf7e0253f3
2 changed files with 1 additions and 255 deletions
|
@ -46,6 +46,3 @@ include::topics/cache/eviction.adoc[]
|
||||||
include::topics/cache/replication.adoc[]
|
include::topics/cache/replication.adoc[]
|
||||||
include::topics/cache/disable.adoc[]
|
include::topics/cache/disable.adoc[]
|
||||||
include::topics/cache/clear.adoc[]
|
include::topics/cache/clear.adoc[]
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
include::topics/proxy.adoc[]
|
|
||||||
endif::[]
|
|
||||||
|
|
|
@ -1,251 +0,0 @@
|
||||||
|
|
||||||
[[_proxy]]
|
|
||||||
== {project_name} Security Proxy
|
|
||||||
|
|
||||||
{project_name} has an HTTP(S) proxy that you can put in front of web applications and services where it is not possible to install the {project_name} adapter.
|
|
||||||
You can set up URL filters so that certain URLs are secured either by browser login and/or bearer token authentication.
|
|
||||||
You can also define role constraints for URL patterns within your applications.
|
|
||||||
|
|
||||||
=== Proxy Install and Run
|
|
||||||
|
|
||||||
Download the {project_name} proxy distribution from the {project_name} download pages and unzip it.
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
$ unzip keycloak-proxy-dist.zip
|
|
||||||
----
|
|
||||||
|
|
||||||
To run it you must have a proxy config file (which we'll discuss in a moment).
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
$ java -jar bin/launcher.jar [your-config.json]
|
|
||||||
----
|
|
||||||
|
|
||||||
If you do not specify a path to the proxy config file, the launcher will look in the current working directory for the file named `proxy.json`
|
|
||||||
|
|
||||||
=== Proxy Configuration
|
|
||||||
|
|
||||||
Here's an example configuration file.
|
|
||||||
[source,json]
|
|
||||||
----
|
|
||||||
|
|
||||||
{
|
|
||||||
"target-url": "http://localhost:8082",
|
|
||||||
"target-request-timeout": "60000",
|
|
||||||
"send-access-token": true,
|
|
||||||
"bind-address": "localhost",
|
|
||||||
"http-port": "8080",
|
|
||||||
"https-port": "8443",
|
|
||||||
"keystore": "classpath:ssl.jks",
|
|
||||||
"keystore-password": "password",
|
|
||||||
"key-password": "password",
|
|
||||||
"applications": [
|
|
||||||
{
|
|
||||||
"base-path": "/customer-portal",
|
|
||||||
"error-page": "/error.html",
|
|
||||||
"adapter-config": {
|
|
||||||
"realm": "demo",
|
|
||||||
"resource": "customer-portal",
|
|
||||||
"realm-public-key": "MIGfMA0GCSqGSIb",
|
|
||||||
"auth-server-url": "http://localhost:8081/auth",
|
|
||||||
"ssl-required" : "external",
|
|
||||||
"principal-attribute": "name",
|
|
||||||
"credentials": {
|
|
||||||
"secret": "password"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
,
|
|
||||||
"constraints": [
|
|
||||||
{
|
|
||||||
"pattern": "/users/*",
|
|
||||||
"roles-allowed": [
|
|
||||||
"user"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"pattern": "/admins/*",
|
|
||||||
"roles-allowed": [
|
|
||||||
"admin"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"pattern": "/users/permit",
|
|
||||||
"permit": true
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"pattern": "/users/deny",
|
|
||||||
"deny": true
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
----
|
|
||||||
|
|
||||||
==== Basic Config
|
|
||||||
|
|
||||||
The basic configuration options for the server are as follows:
|
|
||||||
|
|
||||||
target-url::
|
|
||||||
The URL this server is proxying. _REQUIRED_.
|
|
||||||
|
|
||||||
target-request-timeout::
|
|
||||||
The timeout (in ms) for the proxied request. _OPTIONAL_.
|
|
||||||
Default is 30000.
|
|
||||||
|
|
||||||
send-access-token::
|
|
||||||
Boolean flag.
|
|
||||||
If true, this will send the access token via the KEYCLOAK_ACCESS_TOKEN header to the proxied server. _OPTIONAL_.
|
|
||||||
Default is false.
|
|
||||||
|
|
||||||
bind-address::
|
|
||||||
DNS name or IP address to bind the proxy server's sockets to. _OPTIONAL_.
|
|
||||||
The default value is _localhost_
|
|
||||||
|
|
||||||
http-port::
|
|
||||||
Port to listen for HTTP requests.
|
|
||||||
If you do not specify this value, then the proxy will not listen for regular HTTP requests. _OPTIONAL_.
|
|
||||||
|
|
||||||
https-port::
|
|
||||||
Port to listen for HTTPS requests.
|
|
||||||
If you do not specify this value, then the proxy will not listen for HTTPS requests. _OPTIONAL_.
|
|
||||||
|
|
||||||
keystore::
|
|
||||||
Path to a Java keystore file that contains private key and certificate for the server to be able to handle HTTPS requests.
|
|
||||||
Can be a file path, or, if you prefix it with `classpath:` it will look for this file in the classpath. _OPTIONAL_.
|
|
||||||
If you have enabled HTTPS, but have not defined a keystore, the proxy will auto-generate a self-signed certificate and use that.
|
|
||||||
|
|
||||||
buffer-size::
|
|
||||||
HTTP server socket buffer size.
|
|
||||||
Usually the default is good enough. _OPTIONAL_.
|
|
||||||
|
|
||||||
buffers-per-region::
|
|
||||||
HTTP server socket buffers per region.
|
|
||||||
Usually the default is good enough. _OPTIONAL_.
|
|
||||||
|
|
||||||
io-threads::
|
|
||||||
Number of threads to handle IO.
|
|
||||||
Usually default is good enough.
|
|
||||||
_OPTIONAL_.
|
|
||||||
The default is the number of available processors * 2.
|
|
||||||
|
|
||||||
worker-threads::
|
|
||||||
Number of threads to handle requests.
|
|
||||||
Usually the default is good enough. _OPTIONAL_.
|
|
||||||
The default is the number of available processors * 16.
|
|
||||||
|
|
||||||
=== Application Config
|
|
||||||
|
|
||||||
Next under the `applications` array attribute, you can define one or more applications per host you are proxying.
|
|
||||||
|
|
||||||
base-path::
|
|
||||||
The base context root for the application.
|
|
||||||
Must start with '/'. _REQUIRED_.
|
|
||||||
|
|
||||||
error-page::
|
|
||||||
If the proxy has an error, it will display the target application's error page relative URL. _OPTIONAL_.
|
|
||||||
This is a relative path to the base-path.
|
|
||||||
In the example above it would be `/customer-portal/error.html`.
|
|
||||||
|
|
||||||
adapter-config::
|
|
||||||
_REQUIRED_.
|
|
||||||
Same configuration as any other {project_name} adapter.
|
|
||||||
// See <<_adapter_config,Adapter Config>>
|
|
||||||
|
|
||||||
proxy-address-forwarding::
|
|
||||||
Enable usage of X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Proto when hosted behind another proxy/load-balancer.
|
|
||||||
|
|
||||||
==== Constraint Config
|
|
||||||
|
|
||||||
Next under each application you can define one or more constraints in the `constraints` array attribute.
|
|
||||||
A constraint defines a URL pattern relative to the base-path.
|
|
||||||
You can deny, permit, or require authentication for a specific URL pattern.
|
|
||||||
You can specify roles allowed for that path as well.
|
|
||||||
More specific constraints will take precedence over more general ones.
|
|
||||||
|
|
||||||
pattern::
|
|
||||||
URL pattern to match relative to the base-path of the application.
|
|
||||||
Must start with '/'. _REQUIRED._
|
|
||||||
You may only have one wildcard and it must come at the end of the pattern.
|
|
||||||
|
|
||||||
* Valid: [x-]`/foo/bar/*` and [x-]`/foo/*.txt`
|
|
||||||
* Not valid: [x-]`/*/foo/*`.
|
|
||||||
|
|
||||||
roles-allowed::
|
|
||||||
Array of strings of roles allowed to access this url pattern. _OPTIONAL_.
|
|
||||||
|
|
||||||
methods::
|
|
||||||
Array of strings of HTTP methods that will exclusively match this pattern and HTTP request. _OPTIONAL_.
|
|
||||||
|
|
||||||
excluded-methods::
|
|
||||||
Array of strings of HTTP methods that will be ignored when match this pattern. _OPTIONAL_.
|
|
||||||
|
|
||||||
deny::
|
|
||||||
Deny all access to this URL pattern. _OPTIONAL_.
|
|
||||||
|
|
||||||
permit::
|
|
||||||
Permit all access without requiring authentication or a role mapping. _OPTIONAL_.
|
|
||||||
|
|
||||||
permit-and-inject::
|
|
||||||
Permit all access, but inject the headers, if user is already authenticated. _OPTIONAL_.
|
|
||||||
|
|
||||||
authenticate::
|
|
||||||
Require authentication for this pattern, but no role mapping. _OPTIONAL_.
|
|
||||||
|
|
||||||
==== Header Names Config
|
|
||||||
|
|
||||||
Next under the list of applications you can override the defaults for the names of the header fields injected by the proxy (see <<_identity_headers, {project_name} Identity Headers>>). This mapping is optional.
|
|
||||||
|
|
||||||
keycloak-subject::
|
|
||||||
e.g.
|
|
||||||
MYAPP_USER_ID
|
|
||||||
|
|
||||||
keycloak-username::
|
|
||||||
e.g.
|
|
||||||
MYAPP_USER_NAME
|
|
||||||
|
|
||||||
keycloak-email::
|
|
||||||
e.g.
|
|
||||||
MYAPP_USER_EMAIL
|
|
||||||
|
|
||||||
keycloak-name::
|
|
||||||
e.g.
|
|
||||||
MYAPP_USER_ID
|
|
||||||
|
|
||||||
keycloak-access-token::
|
|
||||||
e.g.
|
|
||||||
MYAPP_ACCESS_TOKEN
|
|
||||||
|
|
||||||
[[_identity_headers]]
|
|
||||||
=== {project_name} Identity Headers
|
|
||||||
|
|
||||||
When forwarding requests to the proxied server, {project_name} Proxy will set some additional headers with values from the OIDC identity token it received for authentication.
|
|
||||||
|
|
||||||
KEYCLOAK_SUBJECT::
|
|
||||||
User id.
|
|
||||||
Corresponds to JWT `sub` and will be the user id {project_name} uses to store this user.
|
|
||||||
|
|
||||||
KEYCLOAK_USERNAME::
|
|
||||||
Username.
|
|
||||||
Corresponds to JWT `preferred_username`.
|
|
||||||
|
|
||||||
KEYCLOAK_EMAIL::
|
|
||||||
Email address of user if set.
|
|
||||||
|
|
||||||
KEYCLOAK_NAME::
|
|
||||||
Full name of user if set.
|
|
||||||
|
|
||||||
KEYCLOAK_ACCESS_TOKEN::
|
|
||||||
Send the access token in this header if the proxy was configured to send it.
|
|
||||||
This token can be used to make bearer token requests. Header field names can be configured using a map of `header-names` in configuration file:
|
|
||||||
+
|
|
||||||
[source,json]
|
|
||||||
----
|
|
||||||
|
|
||||||
{
|
|
||||||
"header-names" {
|
|
||||||
"keycloak-subject": "MY_SUBJECT"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
----
|
|
Loading…
Reference in a new issue