Keycloak is not set up by default to handle SSL/HTTPS. It is highly recommended that you either enable SSL on the Keycloak server itself or on a reverse proxy in front of the Keycloak server.
That implies that it may be sufficient (secure enough) to use a reverse proxy to do the https, and leave Keycloak in its default “http” mode.
Indeed, when I use cloudflared to expose the Keycloak server to the internet, it does appear over https with a valid certificate.
So - is it secure enough to leave Keycloak using http (on its own server), and expose it to the internet using Cloudflare?
Since you do not control the network between Keycloak and Cloudflare, do not use HTTP. It’s only okay if you control the network, but even then it’s not a good practice.
However, this doesn’t allow Cloudflare to verify the certificate. If you’re going to the trouble of running HTTPS on your server, why not just get a real certificate from a CA?
Really appreciate your feedback xgp. I haven’t set up https on the server; I was thinking that I could hide it behind Cloudfare and magically I wouldn’t need to configure https for keycloak.
ps. I have tried configuring https for keycloack. I followed this guide, which was pretty good but some recent schema changes meant that the ‘security-realm’ tag is no longer valid within ‘security-realms’ tag in standalone.xml.
I then followed the official guide and successfully ran the commands in the ‘Configure the keystore using the CLI’ section (instead of editing standalone.xml). But the https://localhost:8443 gives empty responses.
It’s taken days of effort and still doesn’t work, which is why I’m hoping Cloudflare provides the equivalent protection of doing it manually.
If you’re trying to avoid doing it yourself, you would need to control over the network between the reverse proxy and Keycloak. Are you running on AWS or GCP? Both of them offer reverse proxies that are designed to do this (ELB/ALB for AWS and External HTTPS Load Balancing for GCP). If you’re running Keycloak on your own infrastructure, the normal practice is to run it behind a reverse proxy like nginx, which (IMO) is easier to configure HTTPS.
Yes, the Cloudflare tunnel (cloudflared) looks like it makes a secure tunnel between your server and Cloudflare’s edge endpoints. As long as you don’t open up your server to direct access, that appears to be a good solution.
