[keycloak-user] KeyCloak behind reverse proxy - hostname incorrect
John D. Ament
john.d.ament at gmail.com
Thu Jun 15 09:01:25 EDT 2017
Hi,
I'm using nginx as a reverse proxy and got things working. We had to make
sure the following was being set on the proxy:
proxy_pass << your url >>;
proxy_set_header Host "$host:$app_port";
proxy_set_header X-Forwarded-For $host;
proxy_set_header X-Forwarded-Port $app_port;
In the http-listener on the keycloak server, make sure
that proxy-address-forwarding="true" was set.
John
On Thu, Jun 15, 2017 at 5:49 AM <jim-keycloak at spudsoft.co.uk> wrote:
> Hi,
>
> We are trying to use KeyCloak behind a reverse proxy.
>
> There are lots of discussions about doing this online, but they are all
> concerned about getting the protocol correct - which we are not having a
> problem with.
>
> Our problem is that the reverse proxy has a completely different name
> from the KeyCloak host and this seems to be confusing KeyCloak.
>
> Our reverse proxy ("external") is on https and our KeyCloak server
> ("internal") is on http.
>
> There are two examples that we have seen of this:
>
> 1. In the UI templates the url.loginAction variable is https://internal
>
> 2. In JWTs generated by KeyCloak the iss is https://internal
> This seems to be resulting in all tokens being refused by
> introspection.
>
> Our reverse proxy is adding both X-Forwarded-Proto and
> X-Forwarded-Server headers (we can change these easily).
>
> It would be acceptable for us if KeyCloak were only accessible via the
> reverse proxy.
>
> We are using KeyCloak 3.0.0.FINAL.
>
> How can we get this working?
>
> Thanks
>
> Jim
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list