Here’s a step-by-step guide to set up Keycloak in a production environment with Apache acting as a reverse proxy for auth.holidaylandmark.com.
Step 1: Prepare Keycloak Configuration
1.1 Keycloak Configuration (keycloak.conf)
- Locate the Keycloak Configuration File:
- In your Keycloak installation folder, go to
conf/and open (or create)keycloak.conf.
- In your Keycloak installation folder, go to
- Configure Database Connection:
Replace the database settings with your own MariaDB credentials.db=mariadb db-url=jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock db-username=root db-password=Hgjngfjnfs db-pool-initial-size=5 db-pool-min-idle=5 db-pool-max-size=25 db-pool-prefill=true - Configure Reverse Proxy (Apache):
Sethttp-enabled=true(Keycloak listens on 8080, but Apache terminates TLS).http-enabled=true http-port=8080 proxy=reencrypt proxy-headers=xforwarded - Set Hostname and Security Settings:
Configure Keycloak’s hostname, strict mode for production, and backend checks.hostname=auth.holidaylandmark.com hostname-strict=true hostname-strict-backchannel=true - Enable Health Checks and Metrics:
Enable health and monitoring endpoints.health-enabled=true metrics-enabled=true - Disable Debugging and Set Log Level:
Keep logging level asINFOand disable hostname debugging.log-level=INFO hostname-debug=false - Finalize Configuration File:
Your finalkeycloak.confshould look like this:# =============================== # Keycloak Production Config # Reverse-proxied by Apache (LAMPP) # Hostname: auth.holidaylandmark.com # =============================== db=mariadb db-url=jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock db-username=root db-password=Hgjngfjnfs db-pool-initial-size=5 db-pool-min-idle=5 db-pool-max-size=25 db-pool-prefill=true http-enabled=true http-port=8080 proxy=reencrypt proxy-headers=xforwarded hostname=auth.holidaylandmark.com hostname-strict=true hostname-strict-backchannel=true cache=local health-enabled=true metrics-enabled=true log-level=INFO hostname-debug=false
1.2 Set Up Keycloak Admin User (First-Time Setup)
- Export the Environment Variables:
Run these commands to set up the admin credentials (use only for the first run):export KEYCLOAK_ADMIN=admin1 export KEYCLOAK_ADMIN_PASSWORD='Admin#1234' - Start Keycloak:
Run the following command to start Keycloak for the first time:bin/kc.sh start --optimizedAfter the first start, delete or unset the environment variables to avoid reusing them in production:unset KEYCLOAK_ADMIN unset KEYCLOAK_ADMIN_PASSWORD
Step 2: Configure Apache as Reverse Proxy
2.1 Edit Apache Virtual Host for HTTPS
- Edit the Apache Configuration:
Open your Apache virtual host configuration file (httpd-vhosts.conforextra/httpd-vhosts.conf):sudo nano /opt/lampp/etc/extra/httpd-vhosts.conf - Set Up SSL (HTTPS):
Add the following configuration to create a virtual host forauth.holidaylandmark.com:<VirtualHost *:443> ServerName auth.holidaylandmark.com # Enable SSL SSLEngine on SSLCertificateFile /opt/lampp/etc/certs/auth.holidaylandmark.com/auth.holidaylandmark.com.cer SSLCertificateKeyFile /opt/lampp/etc/certs/auth.holidaylandmark.com/auth.holidaylandmark.com.key # Proxy to Keycloak (HTTP :8080) ProxyRequests Off ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ # Forward client IP/Proto to Keycloak RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Host "auth.holidaylandmark.com" RequestHeader set X-Forwarded-Port "443" # Optional: additional security headers Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </VirtualHost> - Restart Apache:
After saving the file, restart Apache to apply changes:sudo /opt/lampp/lampp restartapache
Step 3: Start Keycloak in Production
- Build Keycloak for Production:
Keycloak should be started with the--optimizedflag in production, ensuring it’s properly configured for performance and security:bin/kc.sh start --optimized - Verify Keycloak:
Open a browser and visithttps://auth.holidaylandmark.comto ensure that Keycloak is accessible and properly configured. Log in using the admin credentials set earlier.
Step 4: Post-Setup Configuration
- Access Keycloak Admin Console:
Log into the Keycloak Admin Console at:https://auth.holidaylandmark.com/auth/admin - Create Clients, Realms, and Users:
Set up your clients, realms, and users via the Keycloak Admin Console. Customize the identity provider, authentication flows, and any other configuration necessary for your application.
Step 5: Verify and Test
- Verify HTTPS Works:
Ensure that your website is only accessible via HTTPS and not HTTP. If the HTTP port (80) is accessible, it is a potential security vulnerability. - Test Database Connectivity:
Ensure that Keycloak can connect to the MariaDB database (use a MySQL client to verify the database is operational). - Test Admin Login:
Use the admin credentials to access the Keycloak Admin Console and verify that everything is configured properly.
Full keycloak.conf Configuration:
# ===============================
# Keycloak Production Config
# Reverse-proxied by Apache (LAMPP)
# Hostname: auth.holidaylandmark.com
# ===============================
# -------------------------------
# Database (MariaDB / MySQL)
# -------------------------------
# Use MariaDB driver (works with MySQL too)
db=mariadb
# Use local UNIX socket via MariaDB driver
db-url=jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock
db-username=root
db-password=Hgjngfjnfs
# Connection Pool (tune as needed)
db-pool-initial-size=5
db-pool-min-idle=5
db-pool-max-size=25
db-pool-prefill=true
# -------------------------------
# HTTP / Proxy
# -------------------------------
# Keycloak listens on 0.0.0.0:8080 (no TLS here; Apache handles TLS)
http-enabled=true
http-port=8080
# Make Keycloak respect X-Forwarded-* from Apache
proxy=reencrypt
proxy-headers=xforwarded
# -------------------------------
# Hostname
# -------------------------------
hostname=auth.holidaylandmark.com
hostname-strict=true
hostname-strict-backchannel=true
# If you want admin console on same host (default):
# hostname-admin=auth.holidaylandmark.com
# Optional: if you serve Keycloak under a path, uncomment and adjust:
# http-relative-path=/auth
# -------------------------------
# Caching (single-node)
# -------------------------------
cache=local
# For multi-node, you'd configure Infinispan + a cluster stack instead.
# -------------------------------
# Health / Metrics
# -------------------------------
health-enabled=true
metrics-enabled=true
# -------------------------------
# Logging
# -------------------------------
log-level=INFO
# log-console-output=json
# -------------------------------
# Hardening & misc
# -------------------------------
# Disable verbose hostname debug
hostname-debug=false
# Prevent exposing server details
# quarkus.http.filter.hide-server-header=true
Troubleshooting Tips:
- Keycloak logs: Check logs for errors or warnings:
tail -f standalone/log/server.log - Apache logs: Check Apache error logs if something goes wrong with proxying:
tail -f /opt/lampp/logs/error_log
Conclusion
By following this guide, you’ll have a secure, reverse-proxied Keycloak setup running at https://auth.holidaylandmark.com in a production environment with Apache and MariaDB.
I’m Abhishek, a DevOps, SRE, DevSecOps, and Cloud expert with a passion for sharing knowledge and real-world experiences. I’ve had the opportunity to work with Cotocus and continue to contribute to multiple platforms where I share insights across different domains:
-
DevOps School – Tech blogs and tutorials
-
Holiday Landmark – Travel stories and guides
-
Stocks Mantra – Stock market strategies and tips
-
My Medic Plus – Health and fitness guidance
-
TrueReviewNow – Honest product reviews
-
Wizbrand – SEO and digital tools for businesses
I’m also exploring the fascinating world of Quantum Computing.