Articles on: Getting Started

Use a reverse-proxy in front of a Cloud-IAM's Keycloak deployment

In some cases, the requirement to filter, redirect or customize some requests to Keycloak requires the customer to pass every requests through an active server (e.g. Nginx, Traefik, Envoy, Kong, Gravitee, ...) that acts as a reverse proxy.

In this article, we will assume that the domain my-custom.domain.tld will serve requests from the deployment

Reverse proxy

In this case, there is no need to declare a custom domain in Cloud-IAM console.

Here is a simplified version of the Nginx configuration server that will handle requests on my-custom.domain.tld.

server {

    server_name my-custom.domain.tld;

    ssl_certificate /etc/.../certificate.crt;
    ssl_certificate_key /etc/.../privkey.pem;

    upstream api {
        keepalive 38;

    location / {
        proxy_pass https://api/;

In this case, the server is added between the end-user and the Cloud-IAM cluster.
As all the traffic passes through this server, this should be replicated horizontally and reliable.

The TLS certificate for my-custom.domain.tld must be configured and renewed by the customer.

The requests are still TLS encrypted end-to-end.

However, as all the traffic is emitted by the proxy server in a Cloud-IAM point of view, this can lead to rate-limiting. Learn more about Quotas and Rate limits.

How to setup a custom domain
How to setup a CDN

Updated on: 06/05/2022

Was this article helpful?

Share your feedback


Thank you!