Traefik v3 loadbalancer with keycloak

Traefik Traefik v3 (latest)
1

Hello,

Hi everyone,

I'm running into issues while load balancing an external web application (three backend URLs) through Traefik v3.
The application uses Keycloak for authentication, and most of the time the login process fails — users have to clear cookies and retry multiple times before it occasionally succeeds.

When I configure Traefik to use only one backend URL, everything works perfectly.
This makes me think the problem is related either to my load balancer configuration or session handling across nodes.

Here’s a simplified version of my dynamic configuration:

tcp:
  routers:
    galera-cluster:
      entryPoints:
        - "galera"
      rule: "HostSNI(`*`)"
      service: "galera-cluster"

  services:
    galera-cluster:
      loadBalancer:
        servers:
          - address: "1.1.1.1:3306"
          - address: "2.2.2.2:3306"
          - address: "3.3.3.3:3306"

http:
  routers:
    proxmox-router:
      entryPoints:
        - "websecure"
      rule: "Host(`proxmox.foo.bar`)"
      service: "proxmox-router"
      tls:
        certResolver: "le"

  services:
    proxmox-router:
      loadBalancer:
        servers:
          - url: "https://x.foo.bar:8006"
          - url: "https://y.foo.bar:8006"
          - url: "https://z.foo.bar:8006"

How can I fix?

2

This could be a session affinity/sticky sessions problem. Enable sticky sessions with cookies in Traefik (glossary).

When Keycloak authenticates users, it creates sessions on a specific backend server. Without sticky sessions, subsequent requests during the OAuth/OIDC flow might be routed to different backends that don't have the session data, causing authentication to fail.

The alternative is to use a shared session store like redis between the application servers, but that needs to be supported by the target application and needs to be individually configured in every target application.