KeyCloak 18.0 Quarkus behind F5

Currently we have KeyCloak 15 WildFly based instance deployed in standalone mode on our internal network. Our network team made it available externally with a vanity URL through F5 with a VIP behind that is pointing to the KeyCloak instance as pool member. The instance is SSL secured using certs in JKS format. This works absolutely fine.

However with recent vulnerability in all versions below 18 we have decided to upgrade to KeyCloak 18 Quarkus based instance. I went with simple config and KeyCloak started behaving erratic on externally published URL. Internally it works fine with it’s hostname followed by https port URL.

This is the config I used:

db=mysql
db-username=keycloak
db-password=S0meP@55
db-url=jdbc:mysql://localhost:3306/keycloak

health-enabled=true
metrics-enabled=true

hostname=mykeycloakservername.mydomain.com

https-key-store-file=/opt/keycloak/conf/crypto/keycloak.jks
https-key-store-password=mykeypass
https-protocols=TLSv1.3,TLSv1.2
https-port=8443

log-level=info,warn,error
log=file
log-file=/opt/keycloak/log/keycloak.log

I’m sure I’m missing something that’s causing this issue. My network folks told me that there are redirections happening to internal server URL which is nothing but https followed by server’s internal FQDN with port.

If I put the KeyCloak 15 WildFly instance back everything works just fine with same setup on F5.

Any suggestions and guidance greatly appreciated.

Have you tried setting the proxy mode? Depending on whether you’re terminating SSL at the F5 or Keycloak, you either need set it to reencrypt or passthrough.

Thank you very much for the response.

We have end-to-end SSL. One for external vanity URL that terminates at F5 and one internally on host.
What proxy option do you think suits best here?

I tried both passthrough and reencrypt. No use. All we get is main page.
As soon as we click Administration Console we get a blank page.

Open that “blank page” in the browser again and open browser error/network console - I guess you will see some errors related to wrong hostname/port/protocol there - that should give you a clue what is causing a problem.

Hello,

I just had that happen. Im not using a reverse proxy with KC 18.0.0.
Added this to my keycloak.conf file

#PROXY STUFF

proxy=edge

# The proxy address forwarding mode if the server is behind a reverse proxy.

I found it here.

• Blank admin console page in Keycloak 17.0.1 · Issue #11083 · keycloak/keycloak · GitHub

I saw that the redirections were happening to internal URI. I tries the @gsmith’s suggestion. It worked.

Thank you very much. This solution worked. However I had to set the hostname value to externally used vanity URL. And then it started working. But for testing purposes, sometime we isolate our network and F5 and try to access the sites internally on their internal address. When I try to access the site internally using internal address, home page loads and as soon as I click ‘Admin Console’ it throws page not found and a hyperlink. When I click the link, it gets redirected to external URL address and loads the page fine. I’m thinking that’s because the hostname field in the configuration file. Is there any way that we can set the hostname field so that it works both externally and internally!

Hello,

Not sure, but I show you what I have done.

We have VPN’s for external use with Keycloak.

Example these settings are on the server and corresponds to our AD DC with a Gateway server in front. This was done prior to installing Keycloak.

edit /etc/hostname
keycloak.domain.com

edit  /etc/hosts
8.8.8.8  keycloak.domain.com

Configure keycloak.conf file

# Hostname for the Keycloak server.
hostname=keycloak.domain.com

Also configured Selinux, Iptables , certificates, etc…