diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index 5e8c7a839b9dc11c67937e6b90504bf0cafa5e76..a5f25dd28b022f3558ceb8cc0c1b1a1588b5cbbe 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -52,15 +52,18 @@ listen opensearchserv tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/opensearches_whitelist.lst } listen keycloakserv - bind *:12443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1 - mode http + # Keycloak needs to receive and check client certificates, which is easier when it handles TLS itself - so we use TCP mode here + bind *:12443 + mode tcp maxconn 5000 fullconn 5000 balance source option tcpka - option httplog + option tcp-check + option tcplog + tcp-check connect port 8443 {% for keycloakhost in groups['keycloakcontainers'] %} - server {{keycloakhost}} {{keycloakhost}}:8443 ssl check verify none + server {{keycloakhost}} {{keycloakhost}}:8443 check {% endfor %} tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/keycloak_whitelist.lst }