Question 379564 in Nginx Question posted in
The official documentation can be found here.

Keycloak behind nginx cannot forward to login page

Keycloak per se is working fine. I created a subdomain https://auth.mydomain.com which is pointing to a VM running on GCP. I have configured nginx to internally forward the request to Keycloak. So far so good. When I click "Administration console" in the Keycloak UI, it redirects to https://auth.mydomain.com/admin/master/console and hangs with "Loading Admin UI". According to the network logs the error occurs when Keycloak tries to load step1.html via https://auth.mydomain.com:8081/realms/master/protocol/openid-connect/3p-cookies/step1.html.

Now I think that this URL (the initial part https://auth.mydomain.com) is incorrect but don’t know how to configure it otherwise. I guess it should be http and pointing to the internal IP/localhost or get rid of the 8081 port.

Here’s my nginx.conf:

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2  on;
        server_name auth.mydomain.com;

        # SSL certificate configuration
        ssl_certificate .../public.crt;
        ssl_certificate_key .../private.key;

        location / {
            proxy_pass http://127.0.0.1:8081;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

And this is how Keycloak is configured.

  environment:
      ...
      - KC_HTTP_ENABLED=true
      - KC_PROXY=edge
      - KC_PROXY_HEADERS=forwarded|xforwarded
      - KC_HOSTNAME_STRICT=false
      - KC_HOSTNAME_STRICT_HTTPS=false
      ...

Both nginx (image nginx:1.25.3-alpine) and Keycloak (quay.io/keycloak/keycloak:21.1.2) are running as Docker containers.
Any help appreciated, this is getting exasperating.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Finally I figured out that this issue was caused by the KC_HOSTNAME_PORT which I had configured a few lines below the options posted above. This made Keycloak append the custom port (8081) to the domain name (https://auth.mydomain.com). I simply removed the option and everything seems to work as expected.


  2. 0

    Did you check setting the admin URL variables?

    These are my docker compose variables (using localhost instead of the IP):

      KEYCLOAK_ADMIN_URL: http://localhost:${NGINX_HOST_PORT}${KEYCLOAK_ADMIN_URL}
  KC_HOSTNAME_URL: http://localhost:${NGINX_HOST_PORT}${KEYCLOAK_HOSTNAME_URL}
  KC_HOSTNAME_ADMIN_URL: http://localhost:8081/

    And my NGINX config using the docker service name:

      location /keycloak/ {
      proxy_pass http://api-keycloak:8080/;
  }
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search