Run keycloak in Production without TLS configuration

SSamyak · November 22, 2023, 5:33am

Hi All
I am upgrading keycloak from version 15 to 21, while doing so i am facing one issue which is that to run keycloak 21 in production env it seems that it is essential to configure TLS, is there a way i can disable it.? because we are running keycloak in k8 cluster behind nginx. All the request to keycloak from public endpoint is routed via nginx for which we use https then nginx route those request to keycloak using http inside the cluster. For this reason it seems overhead for us to run keycloak with TLS enabled inside the cluster. Any suggestion or solution will be helpful.
thanks

sirishkumar · November 22, 2023, 6:57am

Below are the some of the configuration parameters(keycloak.conf) we set to enable http mode if TLS termination is done at load balancer. For reference Configuring the hostname - Keycloak

option	value	description
hostname-strict	false	Disables dynamically resolving the hostname from request headers
hostname-strict-https	false	Required for running only in http mode
http-enabled	true	Enables the HTTP listener
proxy	edge	edge proxy mode enables communication through HTTP between the proxy and Keycloak

SSamyak · November 24, 2023, 12:10pm

thanks @sirishkumar , will try this.

SSamyak · November 27, 2023, 7:01am

i am getting flowing error
ERROR ==> You need to have TLS enabled. Please set the KEYCLOAK_ENABLE_HTTPS variable to true

This is my configurations
KEYCLOAK_PRODUCTION: “true”
KEYCLOAK_ENABLE_HTTPS: “false”
KC_HOSTNAME_STRICT: “false”
KC_HOSTNAME_STRICT_HTTPS: “false”
KC_HTTP_ENABLED: “true”

sirishkumar · November 27, 2023, 7:59am

Looks like you are using bitnami charts and as per this comment bitnami/keycloak 8.0.* / 9.0.* Running Server in Development mode · Issue #10236 · bitnami/charts · GitHub , KEYCLOAK_ENABLE_HTTPS is required to be true if production mode(KEYCLOAK_PRODUCTION) is set to True. This is something specific to bitnami chart and not to keycloak. I have no experience with the bitnami keycloak chart configuration. May be try setting KEYCLOAK_PRODUCTION it to false and you need to analyze what are its implications with bitnami chart.

SSamyak · November 27, 2023, 8:46am

i found out one solution in the like you have shared, thanks.

sirishkumar · November 27, 2023, 8:56am

It would be useful for others if you can post the exact solution which worked for you

SSamyak · November 27, 2023, 11:08am

Sure, By simple adding
KEYCLOAK_PROXY = edge
i was able to resolve the issue
This was helpful

github.com/bitnami/charts

bitnami/keycloak 8.0.* / 9.0.* Running Server in Development mode

opened 10:48AM - 16 May 22 UTC

closed 01:34AM - 30 Jun 22 UTC

jack1902

### Name and Version bitnami/keycloak 8.0.1 ### What steps will reproduce the …bug? 1. Deploy chart with version `7.1.18` 2. Upgrade chart to version `8.0.1` ### Are you using any custom parameters or values? overrides in a seperate yaml ```yaml pdb: create: true autoscaling: enabled: true minReplicas: 2 cache: ownersCount: 2 authOwnersCount: 2 # TLS is terminated by NGINX, NGINX -> keycloak HTTP (wrapped in TLS by service-mesh) # ref: https://www.keycloak.org/server/reverseproxy proxy: edge # no longer a thing (was in older versions) proxyAddressForwarding: true replicaCount: 2 # ServiceDiscovery, serviceAccount and rbac required when more than 1 replica exists serviceDiscovery: enabled: true serviceAccount: # required as KUBE_PING is used as the discovery mechanism automountServiceAccountToken: true rbac: create: true rules: - apiGroups: - "" resources: - pods verbs: - get - list service: type: ClusterIP extraEnvVars: # Without needing to force backend request through the frontend # Need to look into /auth being removed in keycloak 17 - name: KEYCLOAK_EXTRA_ARGS value: "-Dkeycloak.frontendUrl=https://YOUR_DOMAIN/auth" ``` ### What is the expected behavior? to not see a warning of "DO NOT use in production", this is pretty concerning. ### What do you see instead? 2022-05-16 10:42:47,041 WARN [org.keycloak.quarkus.runtime.KeycloakMain] (main) Running the server in development mode. DO NOT use this configuration in production. ### Additional information I'm having to read keycloak docs and marry them up with the chart, no docs around upgrades from the current chart version I am on, and the one I desire to be on exist so it is a bit of guess work, but I don't believe my override values cause this issue

sirishkumar · November 28, 2023, 9:00am

Good to know, i also mentioned this in my first response

SSamyak · November 28, 2023, 10:31am

Yes , actually earlier i was using KC_PROXY instead of KEYCLOAK_PROXY. this seems to be causing the issue.
This is the working configuration
KEYCLOAK_PRODUCTION: “true”
KC_HOSTNAME_STRICT: “false”
KC_HOSTNAME_STRICT_HTTPS: “false”
KEYCLOAK_PROXY: “edge”
KEYCLOAK_ENABLE_HTTPS: “false”
PORT: 8080

Topic		Replies	Views
Is it possible to disable TLS when using SSL termination in reverse proxy? Securing applications	2	1332	June 6, 2022
How to disable TLS? authentication	2	2040	May 14, 2021
Issue with Keycloak running on Kubernetes in production mode (HTTPS) Configuring the server authentication , oidc	0	1199	May 31, 2023
HTTPS in kubernetes cluster, shall we let ingress do it? Configuring the server	0	485	April 26, 2022
Keycloak 17.0.1 behind NginX reverse proxy Configuring the server admin-console , documentation , upgrading	17	12718	April 25, 2022

Run keycloak in Production without TLS configuration

Related Topics