I recently installed Keycloak on OpenJDK 12.0.4 (bare metal).
I use a nginx server as a reverse proxy for all my applications to secure my connections (HTTP → HTTPS) over SSL.
My current configuration does not start correctly to prepare keycloak loadblancing for cluster operation in the next step.
Does anyone here already have a running nginx configuration or already reverse-prroxy un dloadbalancing successfully implemented in the cluster?
Then the both wildfly instances are startet with the prarams:
–server-config=standalone-ha.xml -b=0.0.0.0 -bprivate=x.y.z.1 -Djboss.node.name=NODE1 -Djboss.tx.node.id=NODE1
–server-config=standalone-ha.xml -b=0.0.0.0 -bprivate=x.y.z.2 -Djboss.node.name=NODE2 -Djboss.tx.node.id=NODE2
(To be redundant in case of an apache restart, we are running the apache proxies crosswise on each wildfly node and a Big IP F5 network loadbalancer in front of them, but this requires some network reconfiguration for the ARP-resolution…)
@mbonn many thanks for your reply and sharing experience
I’m currently preparing keycloak redundant and HA to serve two instances on different hardware (keycloak, DB, etc.) by means of loadbalancer, which will continue to provide the SSO IdP in case of a service outage.
Apache is already used by other instances/applications, so I wanted to run the nginx separately for keycloak
Is there anyone running keycloak without docker → bare metal in nginx where 2 keycloak instances communicate with each other in parallel (SSO instances, database and switching over to the second keycloak instance when one keycloak instance terminates).
we are running nearly this environment. Had you tried this configuration in nginx?
…
http {
upstream keycloak-ha {
server env_SERVERIP1:8080 fail_timeout=0 max_fails=1;
server env_SERVERIP2:8080 backup fail_timeout=0 max_fails=1;
}
…
The second one is used only when the first has a timeout.
Maybe this helps.
@ederc
Are you running keycloak in multiple instances in a cluster with synchronized databases for load-balancing and fallback (service backup) in case a server/instance stops running or is interrupted
I tried different nginx configurations, because i still have apache and tomcat running in parallel in my test environment before roll out into productive env
@xkey
Both keycloak instances are running in standalone-ha mode and uses same database. It works fine, we tried it for maintaining. Only thing is, a user session will not move from one node to the other. A re-login is necessary.