Keycloak on OpenJDK (bare metal) behind reverse proxy

Hi everyone,

I recently installed Keycloak on OpenJDK 12.0.4 (bare metal).
I use a nginx server as a reverse proxy for all my applications to secure my connections (HTTP → HTTPS) over SSL.

My current configuration does not start correctly to prepare keycloak loadblancing for cluster operation in the next step.

Does anyone here already have a running nginx configuration or already reverse-prroxy un dloadbalancing successfully implemented in the cluster?

Many thanks in advance


I did this (two wildfly instances) with an Apache AJP proxy configuration. Keycloak must be running in standalone-ha mode.

In Apache, I enabled the mods ssl, rewrite, proxy_ajp, proxy_balancer, lbmethod_byrequests, headers.

In Apache’s default-ssl.conf I defined the cluster (on top of the file):

<Proxy balancer://cluster>
BalancerMember ajp:// route=NODE1 status=
BalancerMember ajp:// route=NODE2 status=
ProxySet stickysession=AUTH_SESSION_ID
Allow from all

In the virtual host section, I aded this:

ProxyPass /auth balancer://cluster/auth
ProxyPassReverse /auth balancer://cluster/auth

Then the both wildfly instances are startet with the prarams:
–server-config=standalone-ha.xml -b= -bprivate=x.y.z.1
–server-config=standalone-ha.xml -b= -bprivate=x.y.z.2

(To be redundant in case of an apache restart, we are running the apache proxies crosswise on each wildfly node and a Big IP F5 network loadbalancer in front of them, but this requires some network reconfiguration for the ARP-resolution…)


1 Like

@mbonn many thanks for your reply and sharing experience

I’m currently preparing keycloak redundant and HA to serve two instances on different hardware (keycloak, DB, etc.) by means of loadbalancer, which will continue to provide the SSO IdP in case of a service outage.
Apache is already used by other instances/applications, so I wanted to run the nginx separately for keycloak

Is there anyone running keycloak without docker → bare metal in nginx where 2 keycloak instances communicate with each other in parallel (SSO instances, database and switching over to the second keycloak instance when one keycloak instance terminates).


we are running nearly this environment. Had you tried this configuration in nginx?

http {
upstream keycloak-ha {
server env_SERVERIP1:8080 fail_timeout=0 max_fails=1;
server env_SERVERIP2:8080 backup fail_timeout=0 max_fails=1;

The second one is used only when the first has a timeout.
Maybe this helps.

1 Like

Are you running keycloak in multiple instances in a cluster with synchronized databases for load-balancing and fallback (service backup) in case a server/instance stops running or is interrupted

I tried different nginx configurations, because i still have apache and tomcat running in parallel in my test environment before roll out into productive env

Both keycloak instances are running in standalone-ha mode and uses same database. It works fine, we tried it for maintaining. Only thing is, a user session will not move from one node to the other. A re-login is necessary.

1 Like

Are you using keycloak as SSO/IAM in docker container or bare metal in your environment?

Would you have an extended snippet of your nginx/apache configuration

We don´t use docker. Here are my configuration with some values which will be replaced by the GIT pipeline:

user env_DESTUSER;
worker_processes 1;

pid /srv/httpd/sites/env_DESTUSER/runtime/;

events {
worker_connections 1024;

http {
upstream keycloak-ha {
server env_SERVERIP1:8080 fail_timeout=0 max_fails=1;
server env_SERVERIP2:8080 backup fail_timeout=0 max_fails=1;

log_format weka ‘$remote_addr - $remote_user [$time_local] “$request” $status $body_bytes_sent “$http_referer” “$http_user_agent” “$host”’;
access_log logs/access_log weka;

error_log logs/error_log;

include mime.nginx.types;
default_type application/octet-stream;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

SSL options

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;

SSL-redirect 80 → 443

server {
listen env_WWW_SERVERIP:80;
server_name env_WWW_SERVERDOMAIN;
server_tokens off;
return 301 https://$server_name$request_uri;


server {
listen env_WWW_SERVERIP:443 ssl;
server_name env_WWW_SERVERDOMAIN;
server_tokens off;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  ssl_certificate			/srv/httpd/sites/env_DESTUSER/conf/certs/XXXX.pem;
  ssl_certificate_key		/srv/httpd/sites/env_DESTUSER/conf/certs/XXXX.key;

  # access rules for URLs
  include includes/;



1 Like

@ederc many thanks for sharing your config and quick reply

I’m not making any progress with my current nginx configuration for keycloak and am stuck at this point

Keycloak alone runs without problems
The current configuration of Nginx (/etc/nginx/nginx.conf) on its own also runs without problems

As soon as I start both in a row it leads to problems because the ports 80, 443, 8080 and 8443 are already in use (Keycloak or Nginx).

Do I need the reverse proxy necessarily in front of keycloak?

Currently Keycloak communicates via 8443 but still without SSL/TLS, where is this to be deposited/configured with existing, purchased certificates?

Many thanks in advance