I’ve seen some conflicting information about running keycloak behind a reverse proxy in http-only mode.
On one hand it’s very common to terminate TLS at the proxy, and on the other hand I’ve read statements along the lines of “Keycloak should be run secure by default” implying it is bad practice to enable http communication, in case some proxy-level configuration is wrong.
What is the keycloaks teams stance on this as of today? What are the current steps as of today to deploy keycloak as http only in a secure way?
My current research shows that I need to set the X-Forwarded headers from my proxy:
And I need the following ENV variables:
KC_PROXY_HEADERS = xforwarded
KC_HTTP_ENABLED = true
1 Like
Disclaimer: I’m part of team “encrypt everything”.
For me, there’s no reason to use HTTP-only communication. Use HTTPS everywhere. Or, like Werner Vogels (CTO Amazon Web Services) once said: Dance like no one watches, encrypt like everyone does!
When dealing with authentication, one of the most protectable data is processed - your users personal data, their credentials and more. Make it just not readable for entities (and persons) who must not have access to this data.
IMHO, that’s an oxymoron, there is not “secure http-only way”, by design.
That’s required for the proper communication between your proxy and KC, but is not related to the encryption. It’s important that your proxy sends the proper headers, either X-Forwarded or Forwarded, no matter which protocol, http or https, is being used.
This here is a community forum, the maintainers are not active here. You only will get answers from the community, not from the team itself.
1 Like
Thank you for your reply dasniko!
I understand that “secure” http-only could be understood as an oxymoron, but in my opinion, security is a question of scope, and not absolutes. HTTPS is after all only as safe as the systems using it (if your pc is hacked, then all bets are off). If HTTP communication occurs only behind the proxy then there should in theory be no issues.
I suppose the flipside of the question is: why even try to use http-only? The answer is simplicity. managing the certificates for my keycloak instance is just “one more thing” for a small team to be thinking about, just “one more” potential difference between production and testing environments etc.
Perhaps my question should have been formulated a bit differently: Is using keycloak, with http-only, behind a proxy which terminates TLS, more involved than just setting a few environment variables? Or is this a naive approach? Is getting this right going to finicky enough to increase the mental load related to understanding a system instead of reducing it?
Cheers
Claude
Well, you asked for opinions on your question of bad practice.
I told you my opinion.
HTTPS is not about security on the devices/servers, it’s about transport security.
From the fairy tale “the internal network is safe…”
As soon as there is network between the proxy and the nodes, there is an attack vector.
TBH, certificate management got so much simpler today than some years ago. One just has to start thinking about it and then use it, make it mandatory. Even on localhost.
jm2c
2 Likes