diff --git a/docs/guides/getting-started/templates/start-keycloak-localhost.adoc b/docs/guides/getting-started/templates/start-keycloak-localhost.adoc index ad13835b6a3..c8e49b02cad 100644 --- a/docs/guides/getting-started/templates/start-keycloak-localhost.adoc +++ b/docs/guides/getting-started/templates/start-keycloak-localhost.adoc @@ -19,3 +19,5 @@ bin\kc.bat start-dev Using the `start-dev` option, you are starting {project_name} in development mode. In this mode, you can try out {project_name} for the first time to get it up and running quickly. This mode offers convenient defaults for developers, such as for developing a new {project_name} theme. +WARNING: By default, {project_name} in development mode binds to all network addresses (`0.0.0.0`). This means your {project_name} instance may be accessible from other machines on your network, not just from your local machine. If you want to restrict access to localhost only, you can start the server with `--http-host=127.0.0.1`. + diff --git a/docs/guides/server/configuration.adoc b/docs/guides/server/configuration.adoc index ffe4f25be2f..09170d055b0 100644 --- a/docs/guides/server/configuration.adoc +++ b/docs/guides/server/configuration.adoc @@ -186,6 +186,9 @@ You can start {project_name} in `development mode` or `production mode`. Each mo === Starting {project_name} in development mode Use development mode to try out {project_name} for the first time to get it up and running quickly. This mode offers convenient defaults for developers, such as for developing a new {project_name} theme. +[NOTE] +By default, when you start {project_name} in development mode, the server binds to all network addresses (`0.0.0.0`). This means your instance may be accessible from other machines on your network. If you want to restrict access to your local machine only, you can use the option `--http-host=127.0.0.1` when starting the server. + To start in development mode, enter the following command: <@kc.startdev parameters=""/> diff --git a/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java b/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java index 92f8e8a6304..f515a7e224d 100644 --- a/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java +++ b/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java @@ -18,7 +18,7 @@ public class HttpOptions { public static final Option HTTP_HOST = new OptionBuilder<>("http-host", String.class) .category(OptionCategory.HTTP) - .description("The HTTP Host.") + .description("The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), which means the server may be accessible from other machines on your network. For local development, you can restrict access to localhost only by setting this to 127.0.0.1.") .defaultValue("0.0.0.0") .build(); diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt index cb554bfd6aa..178db7e1807 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt @@ -228,7 +228,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt index 8794fa629e9..f7215ae92ad 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt @@ -298,7 +298,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt index b77a730908c..a72236780b8 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt @@ -276,7 +276,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt index bdc5b15eca5..64a0fbe80f7 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt @@ -299,7 +299,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt index 221b12ea5f1..0c957b265a9 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt @@ -244,7 +244,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt index 854d2419225..8bb275b6d4a 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt @@ -267,7 +267,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt index 1cf75dd6e2c..6ac6a501481 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt @@ -275,7 +275,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt index 94a4c2d6d80..b43e9bab26d 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt @@ -298,7 +298,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt index dcea06ff949..7f9aaac86a6 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt @@ -273,7 +273,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt index 479ece4aa5d..0db6342d53a 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt @@ -296,7 +296,10 @@ HTTP(S): Enables the HTTP listener. Enabled by default in development mode. Typically not enabled in production unless the server is fronted by a TLS termination proxy. Default: false. ---http-host The HTTP Host. Default: 0.0.0.0. +--http-host The HTTP Host. By default, Keycloak binds to all network addresses (0.0.0.0), + which means the server may be accessible from other machines on your + network. For local development, you can restrict access to localhost only by + setting this to 127.0.0.1. Default: 0.0.0.0. --http-max-queued-requests Maximum number of queued HTTP requests. Use this to shed load in an overload situation. Excess requests will return a "503 Server not Available" response.