i tried to secure the traffic of my keycloak instance behind my proxy with SSL but unfortunately without success so far.
Is there any way to follow the described way in the keycloak documentation Keycloak Docu if you already have a certificate and don’t want to use a self signed certificate?
The traffic from the web to the proxy is encrypted correctly only the way from the proxy to Keycloak does not seem to use SSL correctly yet.
Maybe someone here has a tip and can help me with my problem
Thanks for your help
I am using Keycloak 12.0.4 (distribution powered by WildFly) on Cent OS 7
@claudioweiler thanks for your quick reply, i tried to run nginx in front of keycloak but I’m getting nowhere with my current nginx configuration for keycloak and am stuck at this point
At the moment i’m using apache proxy
Keycloak alone runs without problems
The current configuration of nginx (/etc/nginx/nginx.conf) on its own runs also without problems
As soon as I start both in a row, there are problems because ports 80, 443, 8080 and 8443 are already in use (Keycloak or Nginx).
Do you have a working nginx config that runs in parallel with keycloak (bare metal)?
Do I necessarily need a reverse proxy before Keycloak?
Currently Keycloak communicates via 8443 but still without SSL/TLS, where to store/configure that with existing purchased certificates?
As soon as I start both in a row, there are problems because ports 80, 443, 8080 and 8443 are already in use
Right, nginx or apache will run in 80 and 443, keycloak will run in 8080 (no need for 8443). If you have ports conflict you need to check what is using those ports and close processes or change ports (for 80/443, better close).
Maybe you already have apache running, so nginx will conflict.
Do you have a working nginx config that runs in parallel with keycloak (bare metal)?
Sorry, nope, we use kubernetes here, but google it, test, and post your results here, we will try to help.
Do I necessarily need a reverse proxy before Keycloak?
No, definitely. You can configure SSL on keycloak without problems. I would dare to say that a reverse proxy is just a recommended approach.
Currently Keycloak communicates via 8443 but still without SSL/TLS, where to store/configure that with existing purchased certificates?
Do it how it says in documentation, just skip certificate creation steps.
nginx and apache at the same time and both for port 80 & 443 is not possible.
Take one program and remove the other one, or at least do not use the same ports again.
Just one process can listen on a specific socket, here the https 443
On my setup, an Apache reverse proxy works fine.
The Apache is the TLS-endpoint and forwards the traffic to Keycloak without encryption.
Used ports are 443 on Apache for https and 8080 for Keycloak for http.
On Linux you can check its usage by netstat -tulpena | grep 443
Check for port 8080 netstat -tulpena | grep 8080
If there is already another program on you port, you can move your keycloak to another port, e.g. 8088
by passing the option in ./bin/standalone.conf JAVA_OPTS="$JAVA_OPTS -Djboss.http.port=8088"
I tried in my first attempt to get nginx running with keycloak as upstream proxy
And now in my second try apache with keycloak
apache has to run in parallel because this proxy already exists and has many services to serve
My problem with nginx was that it can’t communicate on 80 and 443 because apache is running and also can’t use ports 8080, 8443, 9990 and 9993 because of keycloak
Is it correct to change the configuration file “/etc/nginx/nginx.conf” or to create configurations for each service in “/etc/nginx/conf.d/*”?
I will post my configurations for nginx and apache tomorrow morning , maybe you can advise me to fix my problem/misconfiguration
You are pointing to https on keycloak, just use http. Please, confirm that you keycloak is running on 8080.
It depends much on setup, but I recommend you to use a virtual host, and reverse proxy root (“/”). If you need to proxy only “auth” context, than it should be something like this:
Unfortunately the adjustments to the apache proxy config did not solve the problem
In my current instance keycloak runs on 8443 after the first start.
Here I have at the moment problems to activate an existing certificate, at the beginning keycloak was started on 8080 and after that keys were generated automatically directly at restart “Generated self signed certificate”, “stored in the keystore → …/keycloak/standalone/configuration/application.keystore” and keycloak was only available on port 8443 which changed
I have been able to import the existing certificate into the keystore and now have the problem that when I try to add the new security-realm element using the CLI via the commands:
I never tested this, but it looks odd. Simply enabling server identity should not disable a entire interface.
But, you can always just start over!
Wildfly cli always return a message indicating the problem. Guessing: Probably because these configurations is already added, so you can’t add it again.
I’m really struggling with keycloak at the moment and point of configuration
It’s very weird that keycloak has generated a self signed certificate on it’s own and as i read this is only usable for the local test env, an active certificate is already available and can’t be used right away
And in this case also the default communication port has turned off
I’ve already checked the file “…/standalone/configuration/standalone.xml” for this