Thanks for the quick reply!
So I found this in the docs:
"There is some extra configuration you have to do in this scenario so that the actual client IP address is forwarded to and processed by the Keycloak server instances. Specifically:
-
Configure your reverse proxy or loadbalancer to properly set X-Forwarded-For and X-Forwarded-Proto HTTP headers.
-
Configure your reverse proxy or loadbalancer to preserve the original âHostâ HTTP header.
-
Configure the authentication server to read the clientâs IP address from X-Forwarded-For header."
But I am not 100% how to implement this with my haproxy (as part of pfsense).
I have the option âX-Forwarded-Forâ on anyways in the (shared) frontend config.
I have added a custom header âX-Forwarded-Protoâ in the Backend and tried setting it to âhttpâ and âhttpsâ.
But I am not sure to "preserve the original âHostâ HTTP header. I interpret this as not to replace it by setting a new header but rather adding the X-Forwarded-Proto header.
The docs continue as follows:
" If your proxy is forwarding requests via the HTTP protocol, then you need to configure Keycloak to pull the clientâs IP address from the X-Forwarded-For
header rather than from the network packet. To do this, open up the profile configuration file ( standalone.xml , standalone-ha.xml , or domain.xml depending on your operating mode) and look for the urn:jboss:domain:undertow:12.0
XML block.
X-Forwarded-For
HTTP Config
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https"
proxy-address-forwarding="true"/>
...
</server>
...
</subsystem>
Add the proxy-address-forwarding
attribute to the http-listener
element. Set the value to true
."
Here, I struggled a bit to find the standalone.xml, as I am running the docker version. But I think I found it although it looks a bit different (there are a few more elements in my version (e.g. a https-listener) and there already was a proxy-address-forwarding element there which I changed (rather than added) according to the docs.
I then restarted the host but, alas, it isnât working.
Is there anyone with a setup like mine who could share their config? Or is anyone able to pinpoint where I made a mistake?
Thanks