Common problems with Keycloak: Why Keycloak needs a reverse proxy

Welcome back to our blog series “Common problems with Keycloak”. In today’s article, the third in our series, we look at an essential security aspect that is often overlooked: the use of a reverse proxy or load balancer to protect your Keycloak instance.

Reading time: 3 minutes


Reverse proxy: an indispensable protective shield for Keycloak

In today’s digital world, it is essential to make our digital locks as robust as possible. Keycloak, as the key manager of your application, deserves special protection. This is where the reverse proxy comes in – an indispensable ally in securing your fortress.

The advantages of reverse proxies for Keycloak

Using a reverse proxy is not just a precautionary measure. It is a smart strategy to prevent direct attacks by hackers or malware on your application. The moment we expose Keycloak directly to the internet, we open the gates to unwanted guests. The reverse proxy acts as an invisible protective wall that keeps your applications safely hidden.

Apache or Nginx are not only the first choice of many IT experts because of their popularity as reverse proxies. They are also popular because of the control and flexibility they offer in terms of security settings. Instead of making various security settings directly in Keycloak or its substructure, the Quarkus server, the reverse proxy enables centralised, efficient and less complex management of these settings.

The advantages at a glance:

  • Separation of responsibilities: Building a modular architecture by using a reverse proxy reduces the complexity of the IT infrastructure. This allows you to draw a clear line between the different areas of responsibility.
  • TLS protection of the connection: The reverse proxy encrypts all communication and enormously simplifies certificate management, e.g. through Let’s Encrypt.
  • Protection against vulnerabilities: The reverse proxy secures Keycloak against common vulnerabilities, such as “Host Header Injection”.
  • Improved protection of the admin console: By redirecting to unknown paths or ports, restricting authorised IP addresses or setting up an additional authentication level, Keycloak’s admin console is made even more secure.
  • Integration of a web application firewall (WAF): The addition of Modsecurity with the OWASP Core Rule Set (CRS) offers a further robust layer of protection against attacks.


In today’s blog post, we have learnt that the reverse proxy is far more than just a precautionary measure. It is a basis for secure IT systems and not only secures Keycloak from the outside, but also simplifies administrative handling. It also serves as a protective shield that covers the most common security requirements and thus protects your digital presence.

Our aim is to provide you not only with the tools, but also the knowledge you need to navigate the world of IT security with confidence. Integrating a reverse proxy may seem challenging at first, but we’re here to support you every step of the way. And as always, if you have any questions or queries, we’re only a contact request away!



Weitere interessante Beiträge

WordPress development von WordPress agency aceArt.