I am trying to configure NGINX as a reverse for my keycloak
instance and customer-portal to do SSL termination.
So I am accessing the customer-portal over NGINX with
https which is going fine.
The URL which i called looks like this:
Next when I am trying to access any secured resourse by
clicking on lets say 'customer-listing', I am redirected to
keyclock with the URI as below with a error message as
invalid redirect URI.
Here if you see,
the redirect URI is going as http in place of https. which
gives me invalid redirect-uri because the URI i have
configured in valid-redirect-URI section of settings in the
customer-portal client settings is below:
Am i missing
something or i need to do anything else to support nginx
settings in my keycloak. I have made the proxy-forwarding in
standalone.xml also as 'true'.
<http-listener
xmlns:ut="urn:jboss:domain:undertow:3.0" proxy-address-forwarding="true"
name="default"
socket-binding="http"
redirect-socket="https"/>
port also I
configured in the socket binding as 443.
Also i am
configuring the required header in my nginx.conf.
Below is my
nginx.conf looks like:
user nginx;
worker_processes 1;
error_log
/var/log/nginx/error.log warn;
pid
/var/run/nginx.pid;
events {
worker_connections
1024;
}
http {
include
/etc/nginx/mime.types;
default_type
application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen
443;
server_name
"";
ssl_certificate
/etc/nginx/external/cert.pem;
ssl on;
ssl_certificate_key
/etc/nginx/external/key.pem;
ssl_protocols
TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
HIGH:!aNULL:!MD5;
location
/customer-portal/ {
proxy_set_header
Host $http_host;
proxy_set_header
X-Real-IP $remote_addr;
proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header
X-Forwarded-Proto $scheme;
proxy_set_header
X-Forwarded-Host $host;
proxy_set_header
X-Forwarded-Server $http_host;
proxy_set_header
X-Forwarded-Port 443;
}
location /auth/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header X-Forwarded-Port 443;
}
}
access_log
/var/log/nginx/access.log main;
sendfile
on;
#tcp_nopush
on;
keepalive_timeout
65;
#gzip on;
include
/etc/nginx/conf.d/*.conf;
}
And my
keycloak.json file looks like below:
{
"realm": "nginx",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB",
"ssl-required":
"external",
"resource":
"customer-portal",
"credentials": {
"secret":
"20d8b6f8-25cc-481c-be66-133da68e9596"
},
"use-resource-role-mappings": false
}
Note: I am
runnning all the 3 in there own docker containers.
Customer-portal
is running on tomcat 8 with keycloak tomcat adapter.
customer-portal
and keycloak, both are running behind nginx.
Am i doing something wrong.
Thanks.
Abhishek