I am setting up Keycloak, using the public container image in the Azure Container App service. In production, it is strongly encouraged to disable HTTP.
Depending on the environment variable KC_HTTP_ENABLED
, Keycloak either listens to requests on port 8080:
Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443.
Management interface listening on https://0.0.0.0:9000.
... or doesn't.
Listening on: https://0.0.0.0:8443
Management interface listening on https://0.0.0.0:9000.
When I google the error, I seem to find results relevant to every other case except mine. What am I missing?
From the documentation:
Azure Container Apps uses the Envoy proxy as an edge HTTP proxy. Transport Layer Security (TLS) is terminated on the edge.
The Keycloak container is behind a termination proxy and will never receive any encrypted traffic from it. Attempting to send unencrypted data from the proxy to the container over port :8443
will correctly trigger a refusal. All incoming traffic should be routed to port :8080
in the Ingress settings of the Azure Container App.
The answer is no. Running Keycloak inside the ACA environment means HTTP should be left enabled.