Here’s a step-by-step guide to set up Keycloak in a production environment with Apache acting as a reverse proxy for auth.holidaylandmark.com.

Step 1: Prepare Keycloak Configuration

1.1 Keycloak Configuration (keycloak.conf)

1. Locate the Keycloak Configuration File:
   • In your Keycloak installation folder, go to conf/ and open (or create) keycloak.conf.
2. Configure Database Connection:
   Replace the database settings with your own MariaDB credentials. db=mariadb db-url=jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock db-username=root db-password=Hgjngfjnfs db-pool-initial-size=5 db-pool-min-idle=5 db-pool-max-size=25 db-pool-prefill=true
3. Configure Reverse Proxy (Apache):
   Set http-enabled=true (Keycloak listens on 8080, but Apache terminates TLS). http-enabled=true http-port=8080 proxy=reencrypt proxy-headers=xforwarded
4. Set Hostname and Security Settings:
   Configure Keycloak’s hostname, strict mode for production, and backend checks. hostname=auth.holidaylandmark.com hostname-strict=true hostname-strict-backchannel=true
5. Enable Health Checks and Metrics:
   Enable health and monitoring endpoints. health-enabled=true metrics-enabled=true
6. Disable Debugging and Set Log Level:
   Keep logging level as INFO and disable hostname debugging. log-level=INFO hostname-debug=false
7. Finalize Configuration File:
   Your final keycloak.conf should look like this: # =============================== # Keycloak Production Config # Reverse-proxied by Apache (LAMPP) # Hostname: auth.holidaylandmark.com # =============================== db=mariadb db-url=jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock db-username=root db-password=Hgjngfjnfs db-pool-initial-size=5 db-pool-min-idle=5 db-pool-max-size=25 db-pool-prefill=true http-enabled=true http-port=8080 proxy=reencrypt proxy-headers=xforwarded hostname=auth.holidaylandmark.com hostname-strict=true hostname-strict-backchannel=true cache=local health-enabled=true metrics-enabled=true log-level=INFO hostname-debug=false

1.2 Set Up Keycloak Admin User (First-Time Setup)

1. Export the Environment Variables:
   Run these commands to set up the admin credentials (use only for the first run): export KEYCLOAK_ADMIN=admin1 export KEYCLOAK_ADMIN_PASSWORD='Admin#1234'
2. Start Keycloak:
   Run the following command to start Keycloak for the first time: bin/kc.sh start --optimized After the first start, delete or unset the environment variables to avoid reusing them in production: unset KEYCLOAK_ADMIN unset KEYCLOAK_ADMIN_PASSWORD

Step 2: Configure Apache as Reverse Proxy

2.1 Edit Apache Virtual Host for HTTPS

1. Edit the Apache Configuration:
   Open your Apache virtual host configuration file (httpd-vhosts.conf or extra/httpd-vhosts.conf): sudo nano /opt/lampp/etc/extra/httpd-vhosts.conf
2. Set Up SSL (HTTPS):
   Add the following configuration to create a virtual host for auth.holidaylandmark.com: <VirtualHost *:443> ServerName auth.holidaylandmark.com # Enable SSL SSLEngine on SSLCertificateFile /opt/lampp/etc/certs/auth.holidaylandmark.com/auth.holidaylandmark.com.cer SSLCertificateKeyFile /opt/lampp/etc/certs/auth.holidaylandmark.com/auth.holidaylandmark.com.key # Proxy to Keycloak (HTTP :8080) ProxyRequests Off ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ # Forward client IP/Proto to Keycloak RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Host "auth.holidaylandmark.com" RequestHeader set X-Forwarded-Port "443" # Optional: additional security headers Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </VirtualHost>
3. Restart Apache:
   After saving the file, restart Apache to apply changes: sudo /opt/lampp/lampp restartapache

Step 3: Start Keycloak in Production

1. Build Keycloak for Production:
   Keycloak should be started with the --optimized flag in production, ensuring it’s properly configured for performance and security: bin/kc.sh start --optimized
2. Verify Keycloak:
   Open a browser and visit https://auth.holidaylandmark.com to ensure that Keycloak is accessible and properly configured. Log in using the admin credentials set earlier.

Step 4: Post-Setup Configuration

1. Access Keycloak Admin Console:
   Log into the Keycloak Admin Console at: https://auth.holidaylandmark.com/auth/admin
2. Create Clients, Realms, and Users:
   Set up your clients, realms, and users via the Keycloak Admin Console. Customize the identity provider, authentication flows, and any other configuration necessary for your application.

Step 5: Verify and Test

1. Verify HTTPS Works:
   Ensure that your website is only accessible via HTTPS and not HTTP. If the HTTP port (80) is accessible, it is a potential security vulnerability.
2. Test Database Connectivity:
   Ensure that Keycloak can connect to the MariaDB database (use a MySQL client to verify the database is operational).
3. Test Admin Login:
   Use the admin credentials to access the Keycloak Admin Console and verify that everything is configured properly.

Full keycloak.conf Configuration:

# ===============================
# Keycloak Production Config
# Reverse-proxied by Apache (LAMPP)
# Hostname: auth.holidaylandmark.com
# ===============================

# -------------------------------
# Database (MariaDB / MySQL)
# -------------------------------
# Use MariaDB driver (works with MySQL too)
db=mariadb
# Use local UNIX socket via MariaDB driver
db-url=jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock
db-username=root
db-password=Hgjngfjnfs

# Connection Pool (tune as needed)
db-pool-initial-size=5
db-pool-min-idle=5
db-pool-max-size=25
db-pool-prefill=true

# -------------------------------
# HTTP / Proxy
# -------------------------------
# Keycloak listens on 0.0.0.0:8080 (no TLS here; Apache handles TLS)
http-enabled=true
http-port=8080
# Make Keycloak respect X-Forwarded-* from Apache
proxy=reencrypt
proxy-headers=xforwarded

# -------------------------------
# Hostname
# -------------------------------
hostname=auth.holidaylandmark.com
hostname-strict=true
hostname-strict-backchannel=true
# If you want admin console on same host (default):
# hostname-admin=auth.holidaylandmark.com

# Optional: if you serve Keycloak under a path, uncomment and adjust:
# http-relative-path=/auth

# -------------------------------
# Caching (single-node)
# -------------------------------
cache=local
# For multi-node, you'd configure Infinispan + a cluster stack instead.

# -------------------------------
# Health / Metrics
# -------------------------------
health-enabled=true
metrics-enabled=true

# -------------------------------
# Logging
# -------------------------------
log-level=INFO
# log-console-output=json

# -------------------------------
# Hardening & misc
# -------------------------------
# Disable verbose hostname debug
hostname-debug=false
# Prevent exposing server details
# quarkus.http.filter.hide-server-header=true

Troubleshooting Tips:

• Keycloak logs: Check logs for errors or warnings: tail -f standalone/log/server.log
• Apache logs: Check Apache error logs if something goes wrong with proxying: tail -f /opt/lampp/logs/error_log

Conclusion

By following this guide, you’ll have a secure, reverse-proxied Keycloak setup running at https://auth.holidaylandmark.com in a production environment with Apache and MariaDB.

Abhishek Singh

I’m Abhishek, a DevOps, SRE, DevSecOps, and Cloud expert with a passion for sharing knowledge and real-world experiences. I’ve had the opportunity to work with Cotocus and continue to contribute to multiple platforms where I share insights across different domains:

• DevOps School – Tech blogs and tutorials

• Holiday Landmark – Travel stories and guides

• Stocks Mantra – Stock market strategies and tips

• My Medic Plus – Health and fitness guidance

• TrueReviewNow – Honest product reviews

• Wizbrand – SEO and digital tools for businesses

I’m also exploring the fascinating world of Quantum Computing.