Skip to main content
Skip table of contents

Practical Hints: How to Set Up a Reverse Proxy Server

Here are some practical tips to help you set up a reverse proxy server.

Scenario:

  • Using Authorization Code Flow

  • Connection to external identity provider (e.g. Azure)

  • Using the Keycloak Management adapter

  • Using the admin UI from an internal network

Implementation:

  • keycloak_config.xml in the X4 installation directory:

CODE 
{

"connection": {

 "realm": "X4Realm",

 "auth-server-url": "https://[INTERN_HOST]/auth/",

 "resource": "X4",

  "credentials": {

"secret": "[SECRET]"

}

},

"webAppKeycloakAuthUrl": "https://[EXTERN_URL]/auth/"

}

If INTERN_HOST = EXTERN_URL, add EXTERN_URL to the /ect/hosts file with the local IP.

  • Keycloak.conf in Keycloak:

CODE 
# Basic settings for running in production. Change accordingly before deploying the server.

# Database



# The database vendor.

#db=postgres



# The username of the database user.

#db-username=keycloak



# The password of the database user.

#db-password=password



# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.

#db-url=jdbc:postgresql://localhost/keycloak



# Observability



# If the server should expose metrics and healthcheck endpoints.

#metrics-enabled=true



# HTTPS

https-key-store-file=${kc.home.dir}/conf/kc.keystore

https-key-store-password=secret

https-port=443



# HTTP



# The proxy address forwarding mode if the server is behind a reverse proxy.

#proxy=edge



# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy

#spi-sticky-session-encoder-infinispan-should-attach-route=false



# Hostname for the Keycloak server.

#hostname=[EXTERN_URL]         <— Can be uncommented, if /etc/hosts entry is made

#hostname-admin=[INTERN_HOST]

hostname-strict=false



# Used HTTP host.

#http-host=[INTERN_HOST]

#http-enbaled=false



# Resources path prefix.

http-relative-path=/auth



# HTTP and HTTPS ports.

#http-port=8085

#https-port=8448



# Logging.

log=console,file

#log-file=${kc.home.dir}/log/keycloak.log

Additional notes:

  • Use an SSL certificate for the Keycloak.
    If you want to use a self-signed certificate, load the public .crtf file into the following directory: /c:/X4/jdk/bin/keytool -importcert -keystore cacerts -storepass changeit -alias kc -file kc.crt.
    Furthermore, turn off the certificate validation in the proxy server for Keycloak forwarding.

How to create a self-signed certificate to use in Keycloak:

  1. Create the certificate:

    XML 
    sudo openssl req -x509 -nodes -days 530 -newkey rsa:2048 -keyout kc.key -out kc.crt -subj "/C=DE/ST=Baden-Württemberg/L=Ettlingen/O=SoftProject/CN=localhost" 

  2.  Import the certificate in to the keystore:

    XML 
    sudo openssl pkcs12 -inkey kc.key -in kc.crt -export -out kc.p12 -passout pass:changeit -name kc

  3. Convert p12 into a Java keystore: 

    XML 
    /c:/X4/jdk/bin/keytool/keytool -importkeystore -srckeystore <source_keystoreFile> -srcstoretype PKCS12 -destkeystore <destination_keystoreFile>  -deststoretype JKS -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt

  • Execute the Keycloak in productive mode (PROD). 

  • Add the following headers to the proxy:

X-Forwarded-For=$HOST

X-Forwarded-Proto=„https“

X-Forwarded-Host=$HOST

  • Set the root URL for the X4 Client in Keycloak as follows: https://[EXTERN_URL]/X4

Additional information:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close