httpskeycloakazure-container-apps

Is it possible to disable HTTP for a Keycloak instance in Azure Container Apps?


I am setting up Keycloak, using the public container image in the Azure Container App service. In production, it is strongly encouraged to disable HTTP.

Depending on the environment variable KC_HTTP_ENABLED, Keycloak either listens to requests on port 8080:

KC_HTTP_ENABLED=true

Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443.
Management interface listening on https://0.0.0.0:9000.

Target port is :8080 Success

... or doesn't.

KC_HTTP_ENABLED=false

Listening on: https://0.0.0.0:8443
Management interface listening on https://0.0.0.0:9000.

Target port is :8443 Error

When I google the error, I seem to find results relevant to every other case except mine. What am I missing?


Solution

  • From the documentation:

    Azure Container Apps uses the Envoy proxy as an edge HTTP proxy. Transport Layer Security (TLS) is terminated on the edge.

    The Keycloak container is behind a termination proxy and will never receive any encrypted traffic from it. Attempting to send unencrypted data from the proxy to the container over port :8443 will correctly trigger a refusal. All incoming traffic should be routed to port :8080 in the Ingress settings of the Azure Container App.

    The answer is no. Running Keycloak inside the ACA environment means HTTP should be left enabled.