<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Didn't when through all the details,
just pointing if you read some parts from our docs?<br>
<br>
<a class="moz-txt-link-freetext" href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/network.html">https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/network.html</a>
(and subpages)<br>
<a class="moz-txt-link-freetext" href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html">https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html</a><br>
<br>
Marek<br>
<br>
On 03/08/16 17:36, abhishek raghav wrote:<br>
</div>
<blockquote
cite="mid:CAJmz6fv7v7d+ahmjP11o=E=_rkQebhcDjTFEG+Vdm0U-MKmk1A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I am trying to configure NGINX as a reverse for my keycloak
instance and customer-portal to do SSL termination. </div>
<div><br>
</div>
<div>So I am accessing the customer-portal over NGINX with
https which is going fine.</div>
<div>The URL which i called looks like this:</div>
<div><br>
</div>
<div><font face="monospace, monospace"><a moz-do-not-send="true"
href="https://192.168.99.100/customer-portal/">https://192.168.99.100/customer-portal/</a></font><br>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><br>
</div>
<div>Next when I am trying to access any secured resourse by
clicking on lets say 'customer-listing', I am redirected to
keyclock with the URI as below with a error message as
invalid redirect URI.</div>
<div><br>
</div>
<div><font face="monospace, monospace"><a moz-do-not-send="true"
href="http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true">http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true</a><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Here if you see,
the redirect URI is going as http in place of https. which
gives me invalid redirect-uri because the URI i have
configured in valid-redirect-URI section of settings in the
customer-portal client settings is below:</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="monospace, monospace"><a moz-do-not-send="true"
href="https://192.168.99.100/customer-portal/*">https://192.168.99.100/customer-portal/*</a></font></div>
<div><span style="font-family:arial,helvetica,sans-serif"><br>
</span></div>
<div><font face="arial, helvetica, sans-serif">Am i missing
something or i need to do anything else to support nginx
settings in my keycloak. I have made the proxy-forwarding in
standalone.xml also as 'true'.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div>
<div><font face="monospace, monospace"><http-listener
xmlns:ut="urn:jboss:domain:undertow:3.0" <b>proxy-address-forwarding="true"</b></font></div>
<div><font face="monospace, monospace">
name="default"</font></div>
<div><font face="monospace, monospace">
socket-binding="http"</font></div>
<div><font face="monospace, monospace">
redirect-socket="https"/></font></div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">port also I
configured in the socket binding as 443.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Also i am
configuring the required header in my nginx.conf. </font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Below is my
nginx.conf looks like:</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div>
<div><font face="monospace, monospace">user nginx;</font></div>
<div><font face="monospace, monospace">worker_processes 1;</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">error_log
/var/log/nginx/error.log warn;</font></div>
<div><font face="monospace, monospace">pid
/var/run/nginx.pid;</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">events {</font></div>
<div><font face="monospace, monospace"> worker_connections
1024;</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">}</font></div>
<div><font face="monospace, monospace">http {</font></div>
<div><font face="monospace, monospace"> include
/etc/nginx/mime.types;</font></div>
<div><font face="monospace, monospace"> default_type
application/octet-stream;</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"> log_format main
'$remote_addr - $remote_user [$time_local] "$request" '</font></div>
<div><font face="monospace, monospace">
'$status $body_bytes_sent "$http_referer" '</font></div>
<div><font face="monospace, monospace">
'"$http_user_agent" "$http_x_forwarded_for"';</font></div>
<div><font face="monospace, monospace"> server {</font></div>
<div><font face="monospace, monospace"> listen
443;</font></div>
<div><font face="monospace, monospace"> server_name
"";</font></div>
<div><font face="monospace, monospace"> ssl_certificate
/etc/nginx/external/cert.pem;</font></div>
<div><font face="monospace, monospace"> ssl on;</font></div>
<div><font face="monospace, monospace"> ssl_certificate_key
/etc/nginx/external/key.pem;</font></div>
<div><font face="monospace, monospace"> ssl_protocols
TLSv1 TLSv1.1 TLSv1.2;</font></div>
<div><font face="monospace, monospace"> ssl_ciphers
HIGH:!aNULL:!MD5;</font></div>
<div><font face="monospace, monospace"> location
/customer-portal/ {</font></div>
<div><font face="monospace, monospace"> proxy_set_header
Host $http_host;</font></div>
<div><font face="monospace, monospace"> proxy_set_header
X-Real-IP $remote_addr;</font></div>
<div><font face="monospace, monospace"> proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_for;</font></div>
<div><font face="monospace, monospace"> proxy_set_header
X-Forwarded-Proto $scheme;</font></div>
<div><font face="monospace, monospace"> proxy_set_header
X-Forwarded-Host $host;</font></div>
<div><font face="monospace, monospace"> proxy_set_header
X-Forwarded-Server $http_host;</font></div>
<div><font face="monospace, monospace"> proxy_set_header
X-Forwarded-Port 443;</font></div>
<div><font face="monospace, monospace"> proxy_pass
<a moz-do-not-send="true"
href="http://192.168.99.100:31050">http://192.168.99.100:31050</a>;</font></div>
<div><font face="monospace, monospace">}</font></div>
<div>
<div><font face="monospace, monospace"> location /auth/ {</font></div>
<div><font face="monospace, monospace">
proxy_set_header Host $host;</font></div>
<div><font face="monospace, monospace">
proxy_set_header X-Real-IP $remote_addr;</font></div>
<div><font face="monospace, monospace">
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;</font></div>
<div><font face="monospace, monospace">
proxy_set_header X-Forwarded-Proto $scheme;</font></div>
<div><font face="monospace, monospace">
proxy_set_header X-Forwarded-Host $host;</font></div>
<div><font face="monospace, monospace">
proxy_set_header X-Forwarded-Server $http_host;</font></div>
<div><font face="monospace, monospace"> proxy_pass
<a moz-do-not-send="true"
href="http://192.168.99.100:31048/auth/">http://192.168.99.100:31048/auth/</a>;</font></div>
<div><font face="monospace, monospace">
proxy_set_header X-Forwarded-Port 443;</font></div>
<div><font face="monospace, monospace"> }</font></div>
<div><font face="monospace, monospace"> }</font></div>
<div><font face="monospace, monospace"> access_log
/var/log/nginx/access.log main;</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"> sendfile
on;</font></div>
<div><font face="monospace, monospace"> #tcp_nopush
on;</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"> keepalive_timeout
65;</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"> #gzip on;</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"> include
/etc/nginx/conf.d/*.conf;</font></div>
<div><font face="monospace, monospace">}</font></div>
</div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">And my
keycloak.json file looks like below:</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div>
<div><font face="monospace, monospace">{</font></div>
<div><font face="monospace, monospace"> "realm": "nginx",</font></div>
<div><font face="monospace, monospace"> "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB",</font></div>
<div><font face="monospace, monospace"> "auth-server-url": "<a
moz-do-not-send="true"
href="https://192.168.99.100/auth/"><a class="moz-txt-link-freetext" href="https://192.168.99.100/auth/">https://192.168.99.100/auth/</a></a>",</font></div>
<div><font face="monospace, monospace"> "ssl-required":
"external",</font></div>
<div><font face="monospace, monospace"> "resource":
"customer-portal",</font></div>
<div><font face="monospace, monospace"> "credentials": {</font></div>
<div><font face="monospace, monospace"> "secret":
"20d8b6f8-25cc-481c-be66-133da68e9596"</font></div>
<div><font face="monospace, monospace"> },</font></div>
<div><font face="monospace, monospace">
"use-resource-role-mappings": false</font></div>
<div><font face="monospace, monospace">}</font></div>
</div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Note: I am
runnning all the 3 in there own docker containers.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Here my nginx url
is <b><a moz-do-not-send="true"
href="https://192.168.99.100">https://192.168.99.100</a></b></font></div>
<div><span style="font-family:arial,helvetica,sans-serif">my
customer-portal url is <b><a moz-do-not-send="true"
href="http://192.168.99.100:31050">http://192.168.99.100:31050</a></b></span><font
face="arial, helvetica, sans-serif"><br>
</font></div>
<div><span style="font-family:arial,helvetica,sans-serif">my
keycloak server url is <b><a moz-do-not-send="true"
href="http://192.168.99.100:31048">http://192.168.99.100:31048</a></b></span><span
style="font-family:arial,helvetica,sans-serif"><br>
</span></div>
<div><span style="font-family:arial,helvetica,sans-serif"><b><br>
</b></span></div>
<div><span style="font-family:arial,helvetica,sans-serif">Customer-portal
is running on tomcat 8 with keycloak tomcat adapter.</span></div>
<div><span style="font-family:arial,helvetica,sans-serif"><br>
</span></div>
<div><span style="font-family:arial,helvetica,sans-serif">customer-portal
and keycloak, both are running behind nginx.</span></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div>Am i doing something wrong.</div>
<div><br>
</div>
<div>Thanks.</div>
<div>Abhishek </div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>