From 7a8d38eae37bc3b68776a1fe8c0a6d0c9fefeee4 Mon Sep 17 00:00:00 2001 From: Dominik Guhr Date: Fri, 6 May 2022 11:59:55 +0200 Subject: [PATCH] Adjust docs to reflect what was discussed in #11856 Closes #11579 --- docs/guides/src/main/server/hostname.adoc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/guides/src/main/server/hostname.adoc b/docs/guides/src/main/server/hostname.adoc index 7d0ee81f258..e45e04a039b 100644 --- a/docs/guides/src/main/server/hostname.adoc +++ b/docs/guides/src/main/server/hostname.adoc @@ -64,6 +64,17 @@ To perform this action, you can override the hostname path to use the path defin The `hostname-path` configuration takes effect when a reverse proxy is enabled. For details, see the <@links.server id="reverseproxy"/> Guide. +== Accessing Keycloak in production mode using HTTP +Keycloak follows the "secure by design" principle, so it is absolutely not recommmended to access Keycloak without proper transport encryption, as this opens up multiple attack vectors. + +Nevertheless there are environments, where Keycloak is deployed behind a proxy/load balancer that terminates TLS completely and the internal requests are done using the unencrypted HTTP protocol. + +To be able to work with Keycloak using HTTP for these environments, there is the hidden configuration option `hostname-strict-https=`. This option is set to `true` by default for the production mode, and `false` for the development mode. + +When you need to access Keycloak using HTTP in production mode, for example when you use `proxy=edge` and you want to access the administration console internally using HTTP, you have to set `hostname-strict-https=false`, otherwise a blank page will show up. + +Keep in mind the recommended approach is to always use HTTPS, and this still is true for external clients. + == Using the hostname in development mode You run Keycloak in development mode by using `start-dev`. In this mode, the hostname setting is optional.