<div dir="ltr"><div><br></div><div>I am trying to configure NGINX as a reverse for my keycloak instance and customer-portal to do SSL termination. </div><div><br></div><div>So I am accessing the customer-portal over NGINX with https which is going fine.</div><div>The URL which i called looks like this:</div><div><br></div><div><font face="monospace, monospace"><a href="https://192.168.99.100/customer-portal/">https://192.168.99.100/customer-portal/</a></font><br></div><div><font face="monospace, monospace"><br></font></div><div><br></div><div>Next when I am trying to access any secured resourse by clicking on lets say 'customer-listing', I am redirected to keyclock with the URI as below with a error message as invalid redirect URI.</div><div><br></div><div><font face="monospace, monospace"><a href="http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true">http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true</a><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="arial, helvetica, sans-serif">Here if you see, the redirect URI is going as http in place of https. which gives me invalid redirect-uri because the URI i have configured in valid-redirect-URI section of settings in the customer-portal client settings is below:</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="monospace, monospace"><a href="https://192.168.99.100/customer-portal/*">https://192.168.99.100/customer-portal/*</a></font></div><div><span style="font-family:arial,helvetica,sans-serif"><br></span></div><div><font face="arial, helvetica, sans-serif">Am i missing something or i need to do anything else to support nginx settings in my keycloak. I have made the proxy-forwarding in standalone.xml also as 'true'.</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><div><font face="monospace, monospace"><http-listener xmlns:ut="urn:jboss:domain:undertow:3.0" <b>proxy-address-forwarding="true"</b></font></div><div><font face="monospace, monospace"> name="default"</font></div><div><font face="monospace, monospace"> socket-binding="http"</font></div><div><font face="monospace, monospace"> redirect-socket="https"/></font></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="arial, helvetica, sans-serif">port also I configured in the socket binding as 443.</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Also i am configuring the required header in my nginx.conf. </font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Below is my nginx.conf looks like:</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><div><font face="monospace, monospace">user nginx;</font></div><div><font face="monospace, monospace">worker_processes 1;</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">error_log /var/log/nginx/error.log warn;</font></div><div><font face="monospace, monospace">pid /var/run/nginx.pid;</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">events {</font></div><div><font face="monospace, monospace"> worker_connections 1024;</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">}</font></div><div><font face="monospace, monospace">http {</font></div><div><font face="monospace, monospace"> include /etc/nginx/mime.types;</font></div><div><font face="monospace, monospace"> default_type application/octet-stream;</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> log_format main '$remote_addr - $remote_user [$time_local] "$request" '</font></div><div><font face="monospace, monospace"> '$status $body_bytes_sent "$http_referer" '</font></div><div><font face="monospace, monospace"> '"$http_user_agent" "$http_x_forwarded_for"';</font></div><div><font face="monospace, monospace"> server {</font></div><div><font face="monospace, monospace"> listen 443;</font></div><div><font face="monospace, monospace"> server_name "";</font></div><div><font face="monospace, monospace"> ssl_certificate /etc/nginx/external/cert.pem;</font></div><div><font face="monospace, monospace"> ssl on;</font></div><div><font face="monospace, monospace"> ssl_certificate_key /etc/nginx/external/key.pem;</font></div><div><font face="monospace, monospace"> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</font></div><div><font face="monospace, monospace"> ssl_ciphers HIGH:!aNULL:!MD5;</font></div><div><font face="monospace, monospace"> location /customer-portal/ {</font></div><div><font face="monospace, monospace"> proxy_set_header Host $http_host;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Real-IP $remote_addr;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-Proto $scheme;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-Host $host;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-Server $http_host;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-Port 443;</font></div><div><font face="monospace, monospace"> proxy_pass <a href="http://192.168.99.100:31050">http://192.168.99.100:31050</a>;</font></div><div><font face="monospace, monospace">}</font></div><div><div><font face="monospace, monospace"> location /auth/ {</font></div><div><font face="monospace, monospace"> proxy_set_header Host $host;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Real-IP $remote_addr;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-Proto $scheme;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-Host $host;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-Server $http_host;</font></div><div><font face="monospace, monospace"> proxy_pass <a href="http://192.168.99.100:31048/auth/">http://192.168.99.100:31048/auth/</a>;</font></div><div><font face="monospace, monospace"> proxy_set_header X-Forwarded-Port 443;</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"> access_log /var/log/nginx/access.log main;</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> sendfile on;</font></div><div><font face="monospace, monospace"> #tcp_nopush on;</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> keepalive_timeout 65;</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> #gzip on;</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> include /etc/nginx/conf.d/*.conf;</font></div><div><font face="monospace, monospace">}</font></div></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="arial, helvetica, sans-serif">And my keycloak.json file looks like below:</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><div><font face="monospace, monospace">{</font></div><div><font face="monospace, monospace"> "realm": "nginx",</font></div><div><font face="monospace, monospace"> "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB",</font></div><div><font face="monospace, monospace"> "auth-server-url": "<a href="https://192.168.99.100/auth/">https://192.168.99.100/auth/</a>",</font></div><div><font face="monospace, monospace"> "ssl-required": "external",</font></div><div><font face="monospace, monospace"> "resource": "customer-portal",</font></div><div><font face="monospace, monospace"> "credentials": {</font></div><div><font face="monospace, monospace"> "secret": "20d8b6f8-25cc-481c-be66-133da68e9596"</font></div><div><font face="monospace, monospace"> },</font></div><div><font face="monospace, monospace"> "use-resource-role-mappings": false</font></div><div><font face="monospace, monospace">}</font></div></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Note: I am runnning all the 3 in there own docker containers.</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Here my nginx url is <b><a href="https://192.168.99.100">https://192.168.99.100</a></b></font></div><div><span style="font-family:arial,helvetica,sans-serif">my customer-portal url is <b><a href="http://192.168.99.100:31050">http://192.168.99.100:31050</a></b></span><font face="arial, helvetica, sans-serif"><br></font></div><div><span style="font-family:arial,helvetica,sans-serif">my keycloak server url is <b><a href="http://192.168.99.100:31048">http://192.168.99.100:31048</a></b></span><span style="font-family:arial,helvetica,sans-serif"><br></span></div><div><span style="font-family:arial,helvetica,sans-serif"><b><br></b></span></div><div><span style="font-family:arial,helvetica,sans-serif">Customer-portal is running on tomcat 8 with keycloak tomcat adapter.</span></div><div><span style="font-family:arial,helvetica,sans-serif"><br></span></div><div><span style="font-family:arial,helvetica,sans-serif">customer-portal and keycloak, both are running behind nginx.</span></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="monospace, monospace"><br></font></div><div>Am i doing something wrong.</div><div><br></div><div>Thanks.</div><div>Abhishek </div><div><br></div><div><br></div></div>