Skip to content

Cookie based Sticky Sessions for HAProxy with TLS reencrypt#751

Draft
pruivo wants to merge 8 commits intokeycloak:mainfrom
pruivo:t_750_haproxy_sticky_session
Draft

Cookie based Sticky Sessions for HAProxy with TLS reencrypt#751
pruivo wants to merge 8 commits intokeycloak:mainfrom
pruivo:t_750_haproxy_sticky_session

Conversation

@pruivo
Copy link
Copy Markdown
Member

@pruivo pruivo commented Apr 28, 2026

Closes #750
Depends on #749

tkyjovsk and others added 6 commits April 28, 2026 08:34
@tkyjovsk @pruivo
HAProxy re-encrypt (work in progress), self-signed certificates, no CA
be173c8 
Signed-off-by: Tomas Kyjovsky <[email protected]>
@tkyjovsk @pruivo
Addressing feedback: - removed cookies - moved "option forwarded" to …
d1c79e6 
…backend section and adding "host by by_port for" params

Signed-off-by: Tomas Kyjovsky <[email protected]>
@tkyjovsk @pruivo
Also delete x-forwarded-port and x-forwarded-server headers.
52e2b48 
Signed-off-by: Tomas Kyjovsky <[email protected]>
@tkyjovsk @pruivo
Add ci workflow job test-haproxy-reencrypt.
f937747 
Signed-off-by: Tomas Kyjovsky <[email protected]>
@tkyjovsk @pruivo
Enabling mTLS with a dedicated truststore on KC side.
a9d388a 
Signed-off-by: Tomas Kyjovsky <[email protected]>
@pruivo
Cookie based Sticky Sessions for HAProxy with TLS reencrypt
752610e 
Closes keycloak#750

Signed-off-by: Pedro Ruivo <[email protected]>
ahus1
ahus1 reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ahus1 ahus1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this PR. It doesn't look that ugly, it looks quite manageable. So we would include it by default, at least for the HAProxy setup?

See below for some nitbits.

Comment thread proxy/haproxy/reencrypt/README.md Outdated
Comment thread proxy/haproxy/reencrypt/README.md
@pruivo @ahus1
Update proxy/haproxy/reencrypt/README.md
705d022 
Co-authored-by: Alexander Schwartz <[email protected]>
Signed-off-by: Pedro Ruivo <[email protected]>
@pruivo
Copy link
Copy Markdown
Member Author

pruivo commented Apr 28, 2026

Thank you for this PR. It doesn't look that ugly, it looks quite manageable. So we would include it by default, at least for the HAProxy setup?

See below for some nitbits.

It can be included sure, but it looks messy and isn't maintainable. You can add a server dynamically, but not add new mappings, which may be a problem when scaling up and down the cluster.

@ahus1
Copy link
Copy Markdown
Member

ahus1 commented Apr 28, 2026

You can add a server dynamically, but not add new mappings, which may be a problem when scaling up and down the cluster.

OK, I didn't know about that one. Maybe add it to the README so I won't forget. Thanks!

@pruivo
Drawbacks
ff7c182 
Signed-off-by: Pedro Ruivo <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahus1 ahus1 ahus1 left review comments

Assignees

@ahus1 ahus1

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cookie based Sticky Sessions for HAProxy with TLS reencrypt

3 participants

@pruivo @ahus1 @tkyjovsk