From 2d98e7c99a293ade5ca25afbbe09ecae7638cde8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Barto=C5=A1?= <bartos@cesnet.cz>
Date: Sun, 9 Oct 2022 17:34:49 +0200
Subject: [PATCH] fixed haproxy configuration for keycloak

---
 roles/haproxy/templates/haproxy.cfg.j2 | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 8a92792..efe53c1 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -52,15 +52,18 @@ listen odfeserv
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/odfe_whitelist.lst }
 	
 listen keycloakserv
-        bind *:12443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
-        mode http
+        # Keycloak needs to receive and check client certificates, which is easier when it handles TLS itself - so we use TCP mode here 
+        bind *:12443
+        mode tcp
         maxconn 5000
         fullconn 5000
         balance source
         option tcpka
-        option httplog
+        option tcp-check
+        option tcplog
+        tcp-check connect port 8443
 {% for keycloakhost in groups['keycloakcontainers'] %}
-	server {{keycloakhost}} {{keycloakhost}}:8443 ssl check verify none
+	server {{keycloakhost}} {{keycloakhost}}:8443 check
 {% endfor %}
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/keycloak_whitelist.lst }
 
-- 
GitLab