Reverse proxy from NGINX to Keycloak with 2FA

Joncheski nginx-forum at
Thu May 3 11:42:01 UTC 2018

Hi Francis,

Thanks for your reply.

I have tried with tcp port forwarder ("stream") but my host is changed to
the client's url, which directly sends me to Keycloak, which I do not want
to have direct access to Keycloak, so I use proxy.

Keycloak has been configured to verify a client certificate that needs its
CN to be identically with the username you enter, normally have keystore and
truststore installed to check from whom it was issued and signed (which is
associated with Key Management System for whether it is invalid or revoke).

I have done it and can NGINX check the client certificate (I add these
things:  ssl_client_certificate path-of-root-ca, and ssl_verify_client on),
whether it has been issued and signed by my PKI Key Management System, but
the problem is that the user can submit a certificate from one user, and in
Keycloak to announce with another. I want to stop this thing, so I have a
full 2FA. Keycloak is the only one to check it.

I want to ask you, can the client certificate that is attached to NGINX
through the ssl_verify_client option be forwarded to Keycloak?

Best regards,
Goce Joncheski

Posted at Nginx Forum:,279549,279663#msg-279663

More information about the nginx mailing list