Keycloak per se is working fine. I created a subdomain https://auth.mydomain.com which is pointing to a VM running on GCP. I have configured nginx to internally forward the request to Keycloak. So far so good. When I click "Administration console" in the Keycloak UI, it redirects to https://auth.mydomain.com/admin/master/console and hangs with "Loading Admin UI". According to the network logs the error occurs when Keycloak tries to load step1.html via https://auth.mydomain.com:8081/realms/master/protocol/openid-connect/3p-cookies/step1.html.
Now I think that this URL (the initial part https://auth.mydomain.com) is incorrect but don’t know how to configure it otherwise. I guess it should be http and pointing to the internal IP/localhost or get rid of the 8081 port.
Here’s my nginx.conf:
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name auth.mydomain.com;
# SSL certificate configuration
ssl_certificate .../public.crt;
ssl_certificate_key .../private.key;
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
And this is how Keycloak is configured.
environment:
...
- KC_HTTP_ENABLED=true
- KC_PROXY=edge
- KC_PROXY_HEADERS=forwarded|xforwarded
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME_STRICT_HTTPS=false
...
Both nginx (image nginx:1.25.3-alpine) and Keycloak (quay.io/keycloak/keycloak:21.1.2) are running as Docker containers.
Any help appreciated, this is getting exasperating.
2
Answers
Finally I figured out that this issue was caused by the
KC_HOSTNAME_PORT
which I had configured a few lines below the options posted above. This made Keycloak append the custom port (8081) to the domain name (https://auth.mydomain.com). I simply removed the option and everything seems to work as expected.Did you check setting the admin URL variables?
These are my docker compose variables (using localhost instead of the IP):
And my NGINX config using the docker service name: