Thanks for the quick reply!
So I found this in the docs:
"There is some extra configuration you have to do in this scenario so that the actual client IP address is forwarded to and processed by the Keycloak server instances. Specifically:
Configure your reverse proxy or loadbalancer to properly set X-Forwarded-For and X-Forwarded-Proto HTTP headers.
Configure your reverse proxy or loadbalancer to preserve the original ‘Host’ HTTP header.
Configure the authentication server to read the client’s IP address from X-Forwarded-For header."
But I am not 100% how to implement this with my haproxy (as part of pfsense).
I have the option “X-Forwarded-For” on anyways in the (shared) frontend config.
I have added a custom header “X-Forwarded-Proto” in the Backend and tried setting it to “http” and “https”.
But I am not sure to "preserve the original ‘Host’ HTTP header. I interpret this as not to replace it by setting a new header but rather adding the X-Forwarded-Proto header.
The docs continue as follows:
" If your proxy is forwarding requests via the HTTP protocol, then you need to configure Keycloak to pull the client’s IP address from the
X-Forwarded-For header rather than from the network packet. To do this, open up the profile configuration file ( standalone.xml , standalone-ha.xml , or domain.xml depending on your operating mode) and look for the
urn:jboss:domain:undertow:12.0 XML block.
X-Forwarded-For HTTP Config
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https"
proxy-address-forwarding attribute to the
http-listener element. Set the value to
Here, I struggled a bit to find the standalone.xml, as I am running the docker version. But I think I found it although it looks a bit different (there are a few more elements in my version (e.g. a https-listener) and there already was a proxy-address-forwarding element there which I changed (rather than added) according to the docs.
I then restarted the host but, alas, it isn’t working.
Is there anyone with a setup like mine who could share their config? Or is anyone able to pinpoint where I made a mistake?