Keycloak behind HAProxy

MCHellspawn · March 23, 2025, 3:21pm

Hi,

I’m a self hoster running a home lab. I’m semi new to Linux and Keycloak so please be gentle.

I have successfully setup Keycloak with an OpenLDAP backend. I have it running the production profile with a wildcard cert from LetsEncrypt. Using the server’s internal hostname I can successfully authenticate using OpenId connect with any of my systems, Nextcloud, Proxmox, etc.. Now I am trying to setup a reverse proxy so I can use Keycloak outside my network. I have a domain registered. I have HAProxy setup on my OPNSense firewall. I have HAProxy configured and working well on Home Assistant, Nextcloud, Jellyfin, and more. However when I try to set it up for Keycloak I am experiencing issues. I have done like I do for the rest of my systems, “Real server” pointing to the internal hostname of my Keycloak server, “Backend Pool” with the “Real Server” in it, “Condition” which matches to “idm.mydomainname.com”, and a rule to use the “Condition”. Then I add the “Rule” to my “Public Service” and apply the config. For the most part it appears to have worked, I can access Keycloak’s web UI using the public address. But when I try to use that public address from one of my applications they all complain. Nextcloud won’t even allow me to save the setting, Proxmox allows me to save but I get an error when trying to authenticate. Doing some testing from the Nextcloud server, I and curl the “.well-known/openid-configuration” address without issue but if I try to wget it I get a “400 Bad Request” error. If I try to bring it up in the browser the page views fine. This seems very strange to me. In the Nextcloud log I can see the same “400 Bad Request” error.

Here is the relevant part of my Keycloak config:

proxy=reencrypt
hostname-strict=false
proxy-headers=xforwarded
proxy-trusted-addresses=192.168.1.1

Here is the relevant part of my HAProxy config:

# Frontend: HTTPS ()
frontend HTTPS
    http-response set-header Strict-Transport-Security "max-age=15768000"
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/67dec66ab29186.42575410.certlist 
    mode http
    option http-keep-alive

    # logging options
    # ACL: Nextcloud
    acl acl_67dec46d2bcc97.24384237 hdr(host) -i nc.mydomainname.com
    # ACL: Nextcloud_CalDav
    acl acl_67dec49403f6f6.95808222 path_end -i /.well-known/caldav
    # ACL: Nextcloud_CardDav
    acl acl_67dec4acd93d93.14238859 path_end -i /.well-known/carddav
    # ACL: Nextcloud_NodeInfo
    acl acl_67dec4d9cf6171.59194233 path /.well-known/nodeinfo
    # ACL: Nextcloud_WebFinger
    acl acl_67dec506dd0ed6.82843845 path /.well-known/webfinger
    # ACL: HomeAssistant
    acl acl_67df11da021e86.46402353 hdr(host) -i ha.mydomainname.com
    # ACL: Jellyfin
    acl acl_67df1b6555b638.35915963 hdr(host) -i jf.mydomainname.com
    # ACL: IDM
    acl acl_67df62696ee533.32846084 hdr(host) -i idm.mydomainname.com

    # ACTION: Redirect_Nextcloud_CalDav
    http-request redirect code 301 location /remote.php/dav if acl_67dec46d2bcc97.24384237 acl_67dec49403f6f6.95808222
    # ACTION: Redirect_Nextcloud_CardDav
    http-request redirect code 301 location /remote.php/dav if acl_67dec46d2bcc97.24384237 acl_67dec4acd93d93.14238859
    # ACTION: Redirect_Nextcloud_NodeInfo
    http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_67dec46d2bcc97.24384237 acl_67dec4d9cf6171.59194233
    # ACTION: Redirect_Nextcloud_WebFinger
    http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_67dec46d2bcc97.24384237 acl_67dec506dd0ed6.82843845
    # ACTION: Redirect_Nextcloud
    use_backend Pool_Nextcloud if acl_67dec46d2bcc97.24384237
    # ACTION: Redirect_HomeAssistant
    use_backend Pool_HomeAssistant if acl_67df11da021e86.46402353
    # ACTION: Redirect_SecStor
    use_backend Pool_Vaultwarden if acl_67df1701d59a75.96686909
    # ACTION: Redirect_Jellyfin
    use_backend Pool_Jellyfin if acl_67df1b6555b638.35915963
    # ACTION: Redirect_IDM
    use_backend Pool_Keycloak if acl_67df62696ee533.32846084

.
.
.
Other backend configs
.
.
.

# Backend: Pool_Keycloak ()
backend Pool_Keycloak
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server Server_Keycloak internalhost.mydomainanem.com:8443 ssl alpn h2,http/1.1 verify required ca-file /usr/local/etc/ssl/cert.pem

I’ve posted this also in the Keycloak forum in case this is something more on that side. But hoping someone can help. Thanks in advance.

Topic		Replies	Views
Getting forbidden error after enabling ssl Help!	0	410	December 27, 2021
Haproxy pfsense and nextcloud Help!	3	967	May 2, 2024
SSL Offloading stopped working after some time (update?!) Help!	1	550	April 13, 2022
HAProxy Config Help Help!	0	425	January 28, 2020
Configuration help for haproxy 1.8.9 Help!	0	1169	June 7, 2018

Keycloak behind HAProxy

Related topics