Haproxy - Keycloak - Grommunio Mail Server

1

Hi,
I have a Grommunio mail server with the IP 192.168.200.250 and a Keycloak is running on the same server.
I can log in to the Grommunio server with a username and password and then there is a redirect to /web and /auth and then I have a loop.
Here is my current configuration, what is wrong?

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 60s
    timeout connect 60s
    timeout server 60s
    retries 3
    default-server init-addr last,libc

# Frontend: Letsencrypt80
frontend Letsencrypt80
    bind 192.168.100.100:80 name 192.168.100.100:80
    mode tcp
    default_backend acme_challenge_backend

    # logging options
    # ACL: find_acme_challenge
    acl acl_4446b727496739.59551874 path_beg -i /.well-known/acme-challenge/
    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_4446b727496739.59551874

# Frontend: LetsEncrypt443 (LetsEncrypt443)
frontend LetsEncrypt443
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 192.168.100.100:443 name 192.168.100.100:443 ssl crt /var/etc/acme-client/certs/64747687955833.89930809/fullchain.pem key /var/etc/acme-client/keys/64747687955833.89930809/private.key
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend

    # logging options
    # ACL: find_acme_challenge
    acl acl_4446b727496739.59551874 path_beg -i /.well-known/acme-challenge/
    # ACL: Grommunino
    acl acl_664c906453f702.68929731 hdr(host) -i grommunio.test.com

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_4446b727496739.59551874
    # ACTION: Grommunio
    use_backend Grommunio if acl_664c906453f702.68929731


# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: Grommunio
backend Grommunio
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Real-IP %[src]
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-For %[src]
    http-reuse safe
    option forwardfor
    server Grommunio 192.168.200.250:443 ssl alpn h2,http/1.1 verify none crt /var/etc/acme-client/certs/64747687955833.89930809/fullchain.pem key /var/etc/acme-client/keys/64747687955833.89930809/private.key

# statistics are DISABLED
2

I now have a new approach, might that help? I can now enter the tocken but then a redirect appears again.

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 60s
    timeout connect 60s
    timeout server 60s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: Letsencrypt_80 ()
frontend Letsencrypt_80
    bind 192.168.200.253:80 name 192.168.200.253:80 
    mode tcp
    default_backend acme_challenge_backend

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874

# Frontend: LetsEncrypt (LetsEncrypt)
frontend LetsEncrypt
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 192.168.200.253:443 name 192.168.200.253:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/657480646e0916.14570670.certlist 
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend

    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/
    # ACL: Grommunino
    acl acl_664c906453f702.68929731 hdr(host) -i mailserver.test.com
    # ACL: Keycloak
    acl acl_668a627a78cb38.48749184 path_beg -i /auth

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874
    # ACTION: Grommunio
    use_backend Grommunio if acl_664c906453f702.68929731
    # ACTION: Keycloak
    use_backend Keycloak if acl_668a627a78cb38.48749184
    # WARNING: pass through options below this line
    redirect scheme https code 301 if !{ ssl_fc }

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 

# Backend: Grommunio ()
backend Grommunio
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port 443
    http-request set-header X-Forwarded-For %[src]
    option forwardfor
    http-reuse safe
    option forwardfor
    server Grommunio 192.168.120.33:443 ssl alpn h2,http/1.1 verify none cookie 6607c74887063778516557

# Backend: Keycloak ()
backend Keycloak
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port 443
    http-request set-header X-Forwarded-For %[src]
    option forwardfor
    http-reuse safe
    option forwardfor
    server Keycloak 192.168.120.33:8080 cookie 668a62bcb6c3f299187837

# statistics are DISABLED