Hi Dimuthu, Marcus On Fri, Apr 10, 2020 at 9:47 AM Christie, Marcus Aaron <[email protected]> wrote:
> > > On Apr 9, 2020, at 9:26 PM, DImuthu Upeksha <[email protected]> > wrote: > > @Marcus, @Isuru > > I will regenerate them for now but in the long run we need to generate > them automatically when the docker compose is executed. Probably via > another container instance. However I'm not sure why it's even working at > least for 30 minutes. It should be failed from the very first call to the > Keycloak. For my setup, it doesn't even fail after 30 minutes. > > Thanks. I am planning to develop some service to handle certificate auto-renewal and updates in Custos. Maybe we can use that for Airavata as well. > > Thanks Dimuthu. If it's easier we might put Keycloak behind an HTTPS proxy > instead of configuring Keycloak to handle HTTPS. Here are some rough notes > I have from when I set this up with Apache handling HTTPS proxying to > Keycloak: > > > ## Proxy Keycloak behind Apache > > ``` > setsebool -P httpd_can_network_connect on > ``` > > https://serverfault.com/a/799090 > > Turns out not strictly necessary, but I found this too: > > ``` > ... > <virtualhost keycloak.example.net:443> > ... > RequestHeader set X-Forwarded-Proto "https" > ... > ``` > > https://stackoverflow.com/a/57140468 > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy > > Fixed by > > 1. Adding `proxy-address-forwarding="true"` and > `redirect-socket="proxy-https"` > in standalone.xml: > > ```xml > <http-listener name="default" socket-binding="http" > redirect-socket="proxy-https" > proxy-address-forwarding="true"/> > ``` > > 2. Also changed to > > ```xml > <socket-binding name="proxy-https" port="443"/> > ``` > > 3. Added `ProxyPreserveHost On` to Apache VirtualHost > > ```ini > RequestHeader set X-Forwarded-Proto "https" > ProxyPass / "http://localhost:8080/"; > ProxyPassReverse / "http://localhost:8080/"; > ProxyPreserveHost On > ``` > > > -- Research Software Engineer Indiana University, IN
