keycloak · pedroigor · May 16, 2022 · May 6, 2022 · May 10, 2022
@@ -64,6 +64,19 @@ To perform this action, you can override the hostname path to use the path defin
 The `hostname-path` configuration takes effect when a reverse proxy is enabled.
 For details, see the <@links.server id="reverseproxy"/> Guide.
 
+== Accessing Keycloak in production mode using HTTP
+When a `hostname` is set and the server is running in production mode, all the URLs generated by the server are going to use the `HTTPS` scheme. If you are not setting up TLS you might run into issues because some URLs generated by the server won't work.
+
+Keycloak follows the "secure by design" principle, so it is absolutely not recommended to access Keycloak without proper transport encryption, as this opens up multiple attack vectors.
+
+Nevertheless there are environments, where Keycloak is deployed behind a proxy/load balancer that terminates TLS completely and the internal requests are done using the unencrypted HTTP protocol.
+
+To be able to work with Keycloak using HTTP for these environments, there is the hidden configuration option `hostname-strict-https=<true/false>`. This option is set to `true` by default for the production mode, and `false` for the development mode.
+
+When you need to access Keycloak using HTTP in production mode, for example when you use `proxy=edge` and you want to access the administration console internally using HTTP, you have to set `hostname-strict-https=false`, otherwise a blank page will show up.
+
+Keep in mind the recommended approach is to always use HTTPS, and this still is true for external clients.
+
 == Using the hostname in development mode
 You run Keycloak in development mode by using `start-dev`.
 In this mode, the hostname setting is optional.