Re: [keycloak-user] Redirect issue with HTTPS and Proxy

On Jul 15, 2019, at 23:03, Yang Yang <yy8402(a)icloud.com&gt; wrote: Hello, I am trying to make keycloak work behind a Nginx proxy with HTTPS, but got an redirect issue. Could you help to shed some light? 1. keycloak in standalone mode is installed on local_ip_a and public_ip_a, while Nginx is on local_ip_b and public_ip_b. local_ip_a and local_ip_b are in the same subnet. 2. keycloak works fine with https when I reach it with local_ip_a or public_ip_a, following guide here <https://www.keycloak.org/docs/6.0/server_installation/index.html#enabling... ... <security-realm name="UndertowRealm"> <server-identities> <ssl> <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" /> </ssl> </server-identities> </security-realm> … <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/> <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <http-invoker security-realm="ApplicationRealm"/> </host> </server> ... 3. my nginx configuration for keycloak is as below: … server { listen 8443 ssl; ... location /auth/ { proxy_pass https://local_ip_a:8443/auth/ <https://local_ip_a:8443/auth/>; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } … 4. I set the fixed provide following this <https://github.com/keycloak/keycloak-documentation/blob/6.0.1/server_admi...;: <spi name="hostname"> <default-provider>request</default-provider> <provider name="fixed" enabled="true"> <properties> <property name="hostname" value="public_ip_b"/> <property name="httpPort" value="-1"/> <property name="httpsPort" value="-1"/> </properties> </provider> </spi> 5. I was able to get the keycloak welcome page at https://public_ip_b:8443/auth/ <https://public_ip_b:8443/auth/>;, but when accessing https://public_ip_b:8443/auth/admin <https://public_ip_b:8443/auth/admin>;, I was redirected to https://public_ip_b:8443/auth/admin/master/console/ <https://public_ip_b:8443/auth/admin/master/console/> and then to the following address: https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?c... <https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?c... 6. The keycloak message tells: 22:19:44,848 WARN [org.keycloak.events] (default task-16) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress= local_ip_b, error=invalid_redirect_uri, redirect_uri=https://public_ip_b:8443/auth/admin/master/console/ <https://public_ip_b:8443/auth/admin/master/console/> 7. I tried to add https://public_ip_b:8443/auth/* <https://public_ip_b:8443/auth/*> to security-admin-console setting, but got no luck… <Screen Shot 2019-07-15 at 22.54.58.png>