Posted on

Configuring Proxy Mode in Keycloak: Old vs. New Versions

Keycloak offers a “Proxy Mode” configuration for environments where Keycloak is behind a reverse proxy. This configuration ensures that Keycloak can work correctly when it’s behind a load balancer or proxy, by properly handling forwarded headers and request information. However, the method to configure Proxy Mode has changed slightly between older and newer versions of Keycloak. In this article, we will walk through how to configure Proxy Mode in both old and new versions of Keycloak.

1. Proxy Mode in Older Keycloak Versions (Pre-2020)

In older versions of Keycloak (pre-2020), enabling Proxy Mode was done through the standalone.xml configuration file. This file is part of the Keycloak standalone server configuration, and you would need to edit it to enable the proxy mode and configure related settings.

To enable Proxy Mode in older versions, follow these steps:

  1. Navigate to the Keycloak configuration directory:
  2. cd /opt/keycloak/standalone/configuration
  3. Open the standalone.xml file in a text editor:
  4. sudo nano standalone.xml
  5. Locate the <http-listener> section for the HTTP and HTTPS listeners.
  6. Find the section that configures proxy-related settings:
  7. <proxy-mode>…
  8. Set the proxy-mode tag to one of the following values:
    • off: No proxy is being used.
    • edge: The reverse proxy is at the edge (directly connected to the client).
    • reencrypt: The reverse proxy decrypts the traffic and forwards it to Keycloak in plaintext.
    • passthrough: The reverse proxy forwards traffic without modifying it.
  9. <proxy-mode>edge</proxy-mode>
  10. Save the changes and restart Keycloak:
  11. sudo systemctl restart keycloak

2. Proxy Mode in Newer Keycloak Versions (Post-2020)

In newer versions of Keycloak (post-2020), the Proxy Mode configuration has shifted to a more modern approach, relying on the keycloak.conf file or environment variables, especially for containerized environments. The reverse proxy is still supported, but Keycloak now uses the keycloak.conf file or Docker/Kubernetes environment variables to handle Proxy Mode configuration.

Method 1: Using keycloak.conf (Non-Containerized Setup)

In newer Keycloak versions, to enable Proxy Mode, you can modify the keycloak.conf configuration file. Here’s how to do it:

  1. Navigate to the Keycloak configuration directory:
  2. cd /opt/keycloak/conf
  3. Edit the keycloak.conf file:
  4. sudo nano keycloak.conf
  5. Add the following line to enable Proxy Mode:
  6. proxy.mode=edge
  7. Save the file and restart Keycloak:
  8. sudo systemctl restart keycloak

Method 2: Using Docker or Kubernetes Environment Variables

If you’re running Keycloak in a Docker or Kubernetes setup, Proxy Mode can be enabled via environment variables. Here’s an example of how to enable Proxy Mode in a Docker container:

docker run -e KEYCLOAK_PROXY_MODE=edge jboss/keycloak

For Kubernetes, the proxy mode can be configured by setting the environment variable in the Pod definition:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
spec:
  replicas: 1
  template:
    spec:
      containers:
      - name: keycloak
        image: jboss/keycloak
        env:
        - name: KEYCLOAK_PROXY_MODE
          value: "edge"

3. Proxy Mode Configuration Options

Keycloak offers several proxy modes, each suitable for different reverse proxy setups:

  • off: No proxy is in use. Keycloak assumes it is directly accessed by clients without any proxy in between.
  • edge: The reverse proxy is located at the edge of the network, directly connected to clients. This is a common setup for environments where Keycloak is exposed to the internet.
  • reencrypt: The reverse proxy decrypts HTTPS traffic and forwards it to Keycloak over HTTP. This is typically used when a proxy terminates SSL/TLS connections.
  • passthrough: The reverse proxy forwards traffic without decrypting it. This setup is used when SSL/TLS termination is handled outside of the reverse proxy, often at a hardware load balancer.

4. Troubleshooting

If you encounter issues with Proxy Mode in Keycloak, consider the following:

  • Ensure that your reverse proxy is correctly forwarding headers like X-Forwarded-For and X-Forwarded-Proto to Keycloak.
  • Check Keycloak logs for any proxy-related errors, especially related to HTTPS or header forwarding.
  • Ensure your reverse proxy configuration is compatible with the Keycloak version you’re using.

5. Conclusion

Configuring Proxy Mode in Keycloak is essential for ensuring that Keycloak functions correctly in environments where it’s behind a reverse proxy. The configuration method has changed slightly between older and newer versions, with older versions relying on the standalone.xml file and newer versions using the keycloak.conf file or environment variables. By following the appropriate method for your Keycloak version, you can enable and configure Proxy Mode to work seamlessly in your infrastructure.

Posted on

Can’t Find standalone.xml in Keycloak? Here’s Why

If you’re unable to find the standalone.xml configuration file in Keycloak, it may be due to several reasons related to the distribution, installation, or configuration setup. This article will help you understand why standalone.xml might be missing and how to find or configure Keycloak without it.

1. Keycloak Versions and Distribution

Keycloak has several distributions, and depending on the version or the way you installed it, the location and existence of configuration files can vary. For example, if you’re using a containerized version of Keycloak (e.g., Docker), the configuration files might not be located in the same place as in the standalone installation.

To verify the Keycloak installation type, check your Keycloak directory structure. If you are using a Dockerized version of Keycloak, configuration will typically be managed via environment variables rather than direct file modifications like standalone.xml.

2. Location of Configuration Files

In a standalone Keycloak installation, the standalone.xml configuration file is usually located in the standalone/configuration directory of the Keycloak installation path. The typical directory structure should look like this:

/opt/keycloak/standalone/configuration/standalone.xml

If you cannot find the standalone.xml file, it might be in a different location based on your setup. To locate it, you can use the find command on Linux:

sudo find / -name standalone.xml

This will search your entire system for the standalone.xml file. If it’s not found, you may be using a different configuration method.

3. Alternative Configuration in Keycloak

If you can’t find standalone.xml, you might be using Keycloak with the keycloak.conf or another configuration file. With newer versions of Keycloak, the configuration process has shifted to using environment variables and different configuration files like keycloak.conf.

In such cases, configuration settings (like HTTP ports, database connections, etc.) are configured via environment variables or command-line arguments. You can edit the keycloak.conf file or set environment variables directly in your system or Docker container to configure your Keycloak instance.

4. Using Docker or Kubernetes

If you’re running Keycloak in Docker or Kubernetes, the configuration options will be set in the Docker container environment rather than in the standalone.xml file. In these environments, configuration changes are made through environment variables during container startup. Here’s an example of setting Keycloak configuration in a Docker command:

docker run -e KEYCLOAK_HTTP_PORT=8081 -e KEYCLOAK_HTTPS_PORT=8444 jboss/keycloak

In Kubernetes, configuration is typically handled through ConfigMaps or environment variables in the Pod definition.

5. Troubleshooting

If you’re still having trouble finding or configuring Keycloak without standalone.xml, consider the following steps:

  • Check the installation method you used (standalone installation vs. containerized).
  • Search for alternative configuration files like keycloak.conf.
  • Ensure you’re using the correct version of Keycloak that may have shifted to new configuration methods.

6. Conclusion

While standalone.xml is a commonly used configuration file in Keycloak, its absence could be due to the version or distribution you’re using. Keycloak’s configuration has evolved, especially with containerized setups, where environment variables and configuration files like keycloak.conf are used instead. By following the steps outlined above, you should be able to locate or configure Keycloak without relying on standalone.xml.