Reverse proxy WITHOUT Docker

summersab · August 31, 2021, 7:35pm

Almost all of the documentation for Keycloak assumes that the system is running in a Docker container. With Docker, there are the PROXY_ADDRESS_FORWARDING and KEYCLOAK_FRONTEND_URL ENV variables which make putting Keycloak behind a SSL reverse proxy a breeze.

However, in development (or for those not wishing to use Docker), there is scant documentation regarding how to do the same thing without Docker. I’ve seen several threads on this matter, but none seem to be conclusive. Are there cli arguments that can be passed to standalone.sh? What is the “official” way to configure Keycloak to run behind a reverse proxy when not using Docker? Is there a page in the documentation that I’ve missed?

Thanks!

summersab · August 31, 2021, 9:48pm

I fixed my own problem. The trick is to edit the following file:
./standalone/configuration/standalone.xml

Look for the following lines:

<server name="default-server">
  <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
  <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

Add the value proxy-address-forwarding="true" after that second line like so:

<server name="default-server">
  <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
  <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

Then, this is a working nginx config that should work (WARNING: I’m using self-signed certs for development - don’t use snakeoil.conf in production!!!):

server {
  ssl on;
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server;
  include snippets/snakeoil.conf;

  proxy_set_header X-Forwarded-For $proxy_protocol_addr;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Host $host;

  location / {
    proxy_pass http://127.0.0.1:8080;
  }
}

The end. Any questions, and I’ll do my best to help!

dasniko · September 1, 2021, 5:54am

Yes, it’s all in the docs:

Enable HTTPS/SSL with a Reverse Proxy
https://www.keycloak.org/docs/latest/server_installation/index.html#enable-https-ssl-with-a-reverse-proxy
Identifying Client IP Addresses
https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses

adebola · February 10, 2022, 11:22pm

The documentation should be searchable

Topic		Replies	Views
Keycloak reverse proxy Getting advice	2	4161	January 14, 2020
Keycloak 17 - Run in docker behind NginX Reverse Proxy	3	15864	April 18, 2022
Enabling SSL to secure the HTTP traffic of the Keycloak Server with existing certificate (avoid self-signed certificate) Getting advice	15	9748	May 17, 2021
Keycloak 19.0.3 The configuration problem of Enabling HTTPS/SSL with a reverse proxy Configuring the server	2	2022	October 31, 2022
Keycloak v24 to v26 migration problems	8	432	November 19, 2024

Reverse proxy WITHOUT Docker

Related topics