keycloak
diff --git a/‎2025/05/hitachi-case-study.html‎
Lines changed: 3 additions & 0 deletions b/‎2025/05/hitachi-case-study.html‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎extensions.html‎
Lines changed: 6 additions & 6 deletions b/‎extensions.html‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎nightly/server/haproxy-passthrough.html‎
Lines changed: 28 additions & 7 deletions b/‎nightly/server/haproxy-passthrough.html‎
Lines changed: 28 additions & 7 deletions
@@ -72,6 +72,9 @@
     <h1>Hitachi Keycloak case study published</h1>
     <p class="blog-date text-muted">May 19 2025 by Alexander Schwartz</p>
 
+    <div class="alert alert-warning" role="alert" data-nosnippet>
+    This post is more than one year old. The content within the blog post is likely to be out of date.
+    </div>
 
 <div class="paragraph">
 <p>Hitachi Ltd. uses Keycloak to make financial grade security easier.</p>
 
@@ -92,7 +92,7 @@ <h5 class="card-title">Adaptive Authentication</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>85 stars</span>
+                                        <span data-nosnippet>86 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -126,7 +126,7 @@ <h5 class="card-title">Apple Identity Provider</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>284 stars</span>
+                                        <span data-nosnippet>285 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -245,7 +245,7 @@ <h5 class="card-title">EDP Keycloak Operator</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>86 stars</span>
+                                        <span data-nosnippet>87 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -262,7 +262,7 @@ <h5 class="card-title">Event Listener Utilities</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>297 stars</span>
+                                        <span data-nosnippet>298 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -340,7 +340,7 @@ <h5 class="card-title">kcwarden - Keycloak Config Auditor</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>117 stars</span>
+                                        <span data-nosnippet>118 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -775,7 +775,7 @@ <h5 class="card-title">Terraform provider for Keycloak</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>924 stars</span>
+                                        <span data-nosnippet>925 stars</span>
                                     </div>
                                 </div>
                         </div>
 
@@ -118,7 +118,7 @@ <h1>HAProxy with TLS passthrough</h1>
 </div>
 </div>
 <div class="sect1">
-<h2 id="_haproxy_configuration"><a class="anchor" href="#_haproxy_configuration"></a>HAProxy configuration</h2>
+<h2 id="haproxy-configuration-passthrough"><a class="anchor" href="#haproxy-configuration-passthrough"></a>HAProxy configuration</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>The following <code>haproxy.cfg</code> shows a configuration for TLS passthrough with two Keycloak backend servers.</p>
@@ -197,7 +197,7 @@ <h2 id="_haproxy_configuration"><a class="anchor" href="#_haproxy_configuration"
 <dd>
 <p>Enables the <a href="https://docs.haproxy.org/3.2/configuration.html#5.2-send-proxy-v2">PROXY protocol v2</a>.
 HAProxy prepends the original client IP address to the TCP connection so that Keycloak sees the real source IP instead of HAProxy&#8217;s address.
-This requires Keycloak to be configured with <code>--proxy-protocol-enabled=true</code> (see <a href="#keycloak-configuration">Keycloak configuration</a>).
+This requires Keycloak to be configured with <code>--proxy-protocol-enabled=true</code> (see <a href="#keycloak-configuration-haproxy-passthrough">Keycloak configuration</a>).
 Version 1 (<code>send-proxy</code>) is also supported.</p>
 </dd>
 <dt class="hdlist1"><code>check port 9000 check-ssl verify none</code></dt>
@@ -210,14 +210,14 @@ <h2 id="_haproxy_configuration"><a class="anchor" href="#_haproxy_configuration"
 <dd>
 <p>Configures the <a href="https://docs.haproxy.org/3.2/configuration.html#5.2-inter">health check frequency</a>:
 poll every 5 seconds, mark a server as down after 3 consecutive failures, and mark it as up again after 2 consecutive successes.
-These values affect how quickly HAProxy detects that a Keycloak instance is shutting down (see <a href="#graceful-shutdown-considerations">Graceful shutdown considerations</a>).</p>
+These values affect how quickly HAProxy detects that a Keycloak instance is shutting down (see <a href="#graceful-shutdown-considerations-haproxy-passthrough">Graceful shutdown considerations</a>).</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 <div class="sect1">
-<h2 id="keycloak-configuration"><a class="anchor" href="#keycloak-configuration"></a>Keycloak configuration</h2>
+<h2 id="keycloak-configuration-haproxy-passthrough"><a class="anchor" href="#keycloak-configuration-haproxy-passthrough"></a>Keycloak configuration</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>With TLS passthrough, Keycloak requires the following configuration:</p>
@@ -250,16 +250,16 @@ <h2 id="keycloak-configuration"><a class="anchor" href="#keycloak-configuration"
 </div>
 </div>
 <div class="sect1">
-<h2 id="graceful-shutdown-considerations"><a class="anchor" href="#graceful-shutdown-considerations"></a>Graceful shutdown considerations</h2>
+<h2 id="graceful-shutdown-considerations-haproxy-passthrough"><a class="anchor" href="#graceful-shutdown-considerations-haproxy-passthrough"></a>Graceful shutdown considerations</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>With TLS passthrough, HAProxy cannot signal a connection close at the HTTP level.
-The health check timing directly determines how long it takes HAProxy to detect that a Keycloak instance is shutting down and stop routing new connections to it.</p>
+The HAProxy health check settings determine how long it takes for the proxy to detect that a Keycloak instance is shutting down and that connections should no longer be routed to it.</p>
 </div>
 <div class="paragraph">
 <p>With the health check settings from the configuration above (<code>inter 5s fall 3</code>), it takes up to 15 seconds (3 failures x 5-second interval) for HAProxy to mark a Keycloak instance as down.
 During this period, Keycloak must remain running to serve in-flight requests.
-Therefore, configure the <code>--shutdown-delay</code> to be at least as long as the detection time:</p>
+Therefore, you need to configure the <code>--shutdown-delay</code> to be at least as long as the detection time:</p>
 </div>
 <div class="listingblock">
 <div class="content">
@@ -290,6 +290,27 @@ <h2 id="_relevant_options"><a class="anchor" href="#_relevant_options"></a>Relev
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
+<p><span class="options-key"><code>shutdown-delay</code></span></p>
+</div>
+<div class="paragraph">
+<p><span class="options-description">Length of the pre-shutdown phase during which the server prepares for shutdown.</span></p>
+</div>
+<div class="openblock options-extended">
+<div class="content">
+<div class="paragraph">
+<p><span class="options-description-extended">May be an ISO 8601 duration value, an integer number of seconds, or an integer followed by one of [ms, h, m, s, d]. This period allows for loadbalancer reconfiguration and draining of TLS/HTTP keepalive connections.</span></p>
+</div>
+<div class="paragraph">
+<p><strong>CLI:</strong> <code>--shutdown-delay</code><br>
+<strong>Env:</strong> <code>KC_SHUTDOWN_DELAY</code></p>
+</div>
+</div>
+</div></div></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><em>String</em></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>1s</code></p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><span class="options-key"><code>health-enabled</code></span> <span class="none"><span class="icon options-build"><i class="fa fa-tools"></i></span></span></p>
 </div>
 <div class="paragraph">