> On Apr 9, 2020, at 9:26 PM, DImuthu Upeksha <dimuthu.upeks...@gmail.com> > wrote: > > @Marcus, @Isuru > > I will regenerate them for now but in the long run we need to generate them > automatically when the docker compose is executed. Probably via another > container instance. However I'm not sure why it's even working at least for > 30 minutes. It should be failed from the very first call to the Keycloak. For > my setup, it doesn't even fail after 30 minutes. >
Thanks Dimuthu. If it's easier we might put Keycloak behind an HTTPS proxy instead of configuring Keycloak to handle HTTPS. Here are some rough notes I have from when I set this up with Apache handling HTTPS proxying to Keycloak: ## Proxy Keycloak behind Apache ``` setsebool -P httpd_can_network_connect on ``` https://serverfault.com/a/799090 Turns out not strictly necessary, but I found this too: ``` ... <virtualhost keycloak.example.net:443> ... RequestHeader set X-Forwarded-Proto "https" ... ``` https://stackoverflow.com/a/57140468 https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy Fixed by 1. Adding `proxy-address-forwarding="true"` and `redirect-socket="proxy-https"` in standalone.xml: ```xml <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true"/> ``` 2. Also changed to ```xml <socket-binding name="proxy-https" port="443"/> ``` 3. Added `ProxyPreserveHost On` to Apache VirtualHost ```ini RequestHeader set X-Forwarded-Proto "https" ProxyPass / "http://localhost:8080/"; ProxyPassReverse / "http://localhost:8080/"; ProxyPreserveHost On ```
smime.p7s
Description: S/MIME cryptographic signature
