In this article are exposed some of the key concepts protecting a Keycloak RedHat SSO with a reverse proxy in production.
Protecting the keycloak server is crucial. Keycloak server should not be visible from the outside

1) Why adding a reverse proxy

The goal of the reverse proxy is to hide/mask off keycloak authentication server from the external (i.e the internet). It allow to protect efficiently a keycloak server deployment.

As a result, the end-user will only have access to the reverse proxy URL, and not the Keycloak UR

Some typical deployments :

Protecting Keycloak RedHat SSO with a Reverse Proxy
2) Architectural deployment example

A typical reverse proxy architecture can consist of the following elements:

  • 2 firewalls
  • DMZ
  • Reverse proxy
  • Keycloak server
  • private LAN
2.1) Role of the DMZ

It is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network, usually a larger network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization’s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network and, if its design is effective, allows the organization extra time to detect and address breaches before they would further penetrate into the internal networks.

2.2) First firewall (internet – DMZ)
  • It sits between the internet and the DMZ
2.3) Second Firewall
  • it sits between the DMZ and a local LAN
2.4) Reverse Proxy – DMZ
  • It is located in the DMZ
  • It has access to the internet an forwards the requests to the keycloak Authentication server which is located on a private LAN
2.5) Keycloak authentication Server – LAN
  • It is located on a private network LAN
With such an architecture: Direct access to keycloak console should never be possible from the external it is not only possible to connect to the keycloak admin console locally (i.e from the private LAN)

Such an architecture prevents external intruders to get access to the keycloak admin console to access sensitive information (secret …)

3) HTTPS everywhere

Any outgoing or incoming traffic either to the web server reverse proxy or keycloak server should be encrypted with https

4) Reverse Proxy server used with Keycloak
  • 2 reverse Proxy engines are available with Keycloak:
    • Apache2
    • NGINX


Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat

Les derniers articles par Olivier Rivat (tout voir)