So the base that I am starting with is a Traefik proxy that authorizes access to services using Authelia and its associated Forward-Auth.
There are three test services being used: public, secure-1 and secure-2. The authelia forward auth tags are used on all three of the services but authelia is configured to have public bypasses and one-factor used for both secure-1 and secure-2.
That is working but I would like to swap over to Keycloak.
deleting since there is a newer version in a newer post
...
This is getting gateway timeouts which I think means that Traefik is close to being configured right but it is not connecting well to the keycloak instance.
Logs for Keycloak show nothing alarming to me. A warning about using the deprecated method for running behind a proxy.
Changes detected in configuration. Updating the server image.
Updating the configuration and installing your custom providers, if any. Please wait.
2024-03-09 20:10:14,252 WARN [org.key.qua.run.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
- proxy: Use proxy-headers.
2024-03-09 20:10:20,094 INFO [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 5229ms
Server configuration updated and persisted. Run the following command to review the configuration:
kc.sh show-config
Next time you run the server, just run:
kc.sh start --optimized
2024-03-09 20:10:20,789 WARN [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
- proxy: Use proxy-headers.
2024-03-09 20:10:21,230 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-03-09 20:10:21,431 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-03-09 20:10:21,545 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
2024-03-09 20:10:21,634 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2024-03-09 20:10:21,638 INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 9ec9c17c-9106-41f2-aed2-efe333ce9505, name: 1b20841fe688-50466
2024-03-09 20:10:21,644 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-03-09 20:10:21,644 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
2024-03-09 20:10:21,644 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-03-09 20:10:21,644 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
2024-03-09 20:10:21,651 INFO [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.33735
2024-03-09 20:10:22,726 WARN [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-03-09 20:10:23,397 WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-03-09 20:10:23,656 INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 1b20841fe688-50466: no members discovered after 2002 ms: creating cluster as coordinator
2024-03-09 20:10:23,663 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [1b20841fe688-50466|0] (1) [1b20841fe688-50466]
2024-03-09 20:10:23,677 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `1b20841fe688-50466`, physical addresses are `[192.168.176.3:49271]`
2024-03-09 20:10:23,687 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-03-09 20:10:24,351 INFO [org.keycloak.quarkus.runtime.storage.legacy.liquibase.QuarkusJpaUpdaterProvider] (main) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml
UPDATE SUMMARY
Run: 121
Previously run: 0
Filtered out: 0
-------------------------------
Total change sets: 121
2024-03-09 20:10:26,014 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 1b20841fe688-50466, Site name: null
2024-03-09 20:10:26,089 INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-03-09 20:10:26,131 INFO [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
2024-03-09 20:10:27,129 INFO [io.quarkus] (main) Keycloak 24.0.1 on JVM (powered by Quarkus 3.8.1) started in 6.786s. Listening on: http://0.0.0.0:8080
2024-03-09 20:10:27,129 INFO [io.quarkus] (main) Profile prod activated.
2024-03-09 20:10:27,129 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, vertx]
Traefik isn’t showing anything particularly nasty
I have to switch log level to warn to but back on the traefik logs.