skip to Main Content

I have to use keycloak 19.0 dockerized behind reverse proxy nginx

  • request –> https (nginx) —> http keycloak

but admin console does not load : url (https://keycloak.xxx/admin/master/console/).

on chrome console we can read error: crbug/1173575, non-JS module files deprecated..

Dockerfile

FROM quay.io/keycloak/keycloak:19.0 as builder

ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_DB=postgres
# no need to activate preview feature:
# ENV KC_FEATURES=token-exchange
# ENV KC_FEATURES=admin2

# Install custom providers
RUN curl -sL https://github.com/aerogear/keycloak-metrics-spi/releases/download/2.5.3/keycloak-metrics-spi-2.5.3.jar -o /opt/keycloak/providers/keycloak-metr>

# Copy custom themes and plugins
# COPY /providers/*.jar providers/

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:19.0

COPY ./configs/nginx.conf /etc/nginx/nginx.conf
COPY ./configs/index.html /usr/share/nginx/html

COPY --from=builder /opt/keycloak/ /opt/keycloak/
WORKDIR /opt/keycloak

# ARGs

ARG KC_DB_URL
ARG KC_DB_SCHEMA
ARG KC_DB_USERNAME
ARG KC_DB_PASSWORD

ARG KC_HOSTNAME
ARG KC_PROXY

ARG KEYCLOAK_ADMIN
ARG KEYCLOAK_ADMIN_PASSWORD

# ENVs from ARGs

ENV KC_DB_URL=$KC_DB_URL
ENV KC_DB_SCHEMA=$KC_DB_SCHEMA
ENV KC_DB_USERNAME=$KC_DB_USERNAME
ENV KC_DB_PASSWORD=$KC_DB_PASSWORD


ENV KC_HOSTNAME=$KC_HOSTNAME
ENV KC_PROXY=$KC_PROXY
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_HOSTNAME_STRICT=false
ENV KC_HTTP_ENABLED=true

ENV KEYCLOAK_ADMIN=$KEYCLOAK_ADMIN
ENV KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start", "--optimized"]

docker-compose.yml

services:

  postgres:
    image: postgres
    container_name: keycloak-postgres
    restart: always
    env_file:
      - ./env/postgres.env
    volumes:
      - type: volume
        source: keycloak-postgres-data
        target: /var/lib/postgresql/data
        read_only: false
        volume:
          nocopy: true
    ports:
      - 5433:5432
    networks:
      - keycloak-backend

  keycloak-service:
    depends_on:
      - postgres
    build:
      context: .
      dockerfile: Dockerfile
      args:
        - KC_DB_URL
        - KC_DB_SCHEMA
        - KC_DB_USERNAME
        - KC_DB_PASSWORD
        - KC_HOSTNAME
        - KC_PROXY
        - KEYCLOAK_ADMIN
        - KEYCLOAK_ADMIN_PASSWORD

    image: custom.keycloak:19.0
    container_name: keycloak-service
    restart: always
    env_file:
      - ./env/keycloak.env
    ports:
      - 8081:8080
    networks:
      - reverse-proxy-nginx
      - keycloak-backend

networks:
  reverse-proxy-nginx:
    external:
      name: reverse-proxy-nginx
  keycloak-backend:
    name: keycloak-backend

volumes:
  keycloak-postgres-data:
    external: true
    name: keycloak-postgres-data

environment variables postgres

POSTGRES_DB=keycloak
POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
IGNORE_INIT_HOOK_LOCKFILE=true

environment variables keycloak

KC_DB_URL="jdbc:postgresql://postgres:5432/keycloak"
KC_DB_SCHEMA=public
KC_DB_USERNAME=postgres
KC_DB_PASSWORD=postgres

KC_HOSTNAME="keycloak-service"
KC_PROXY=edge

KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=admin

#important for reverse proxy
PROXY_ADDRESS_FORWARDING=true
DB_VENDOR=POSTGRES
DB_ADDR=postgres
DB_PORT=5432
DB_DATABASE=keycloak
DB_USER=postgres
DB_PASSWORD=postgres

nginx

server {
    listen 80;
    server_name keycloak.xxx;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://keycloak.xxx$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name keycloak.xxx;
    ssl_certificate /**/fullchain.pem;
    ssl_certificate_key /**/privkey.pem;

     proxy_set_header Host                  $host;
     proxy_set_header X-Forwarded-For       $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Host      $host;
     proxy_set_header X-Forwarded-Server    $host;
     #proxy_set_header X-Forwarded-Proto     $scheme;
     proxy_set_header X-Forwarded-Proto     https;


     location / {
         proxy_pass http://keycloak-service:8080;
     }
}


2

Answers


  1. proxy_pass must be pointing to the server that is running that is proxy_pass http://localhost:8080;

    Login or Signup to reply.
  2. I ran into similar problem while using jwilder/nginx-proxy and docker-compose

    Changing KC_HOSTNAME to actual URL fixed my issue. In this case, set it to keycloak.xxx (part of https://keycloak.xxx/admin/master/console/) instead of "keycloak-service"

    This issue thread could be useful for anyone with similar problem in future

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search