5:03 p.m.
Hello,
I am trying to make keycloak work behind a Nginx proxy with HTTPS, but got an redirect
issue. Could you help to shed some light?
1. keycloak in standalone mode is installed on local_ip_a and public_ip_a, while Nginx is
on local_ip_b and public_ip_b. local_ip_a and local_ip_b are in the same subnet.
2. keycloak works fine with https when I reach it with local_ip_a or public_ip_a,
following guide here
<https://www.keycloak.org/docs/6.0/server_installation/index.html#enabling...
...
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="secret"
/>
</ssl>
</server-identities>
</security-realm>
…
<server name="default-server">
<http-listener name="default" socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https"
security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
...
3. my nginx configuration for keycloak is as below:
…
server {
listen 8443 ssl;
...
location /auth/ {
proxy_pass https://local_ip_a:8443/auth/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
…
4. I set the fixed provide following this
<https://github.com/keycloak/keycloak-documentation/blob/6.0.1/server_admi...;:
<spi name="hostname">
<default-provider>request</default-provider>
<provider name="fixed" enabled="true">
<properties>
<property name="hostname"
value="public_ip_b"/>
<property name="httpPort" value="-1"/>
<property name="httpsPort" value="-1"/>
</properties>
</provider>
</spi>
5. I was able to get the keycloak welcome page at https://public_ip_b:8443/auth/, but when
accessing https://public_ip_b:8443/auth/admin, I was redirected to
https://public_ip_b:8443/auth/admin/master/console/ and then to the following address:
https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?c...
6. The keycloak message tells:
22:19:44,848 WARN [org.keycloak.events] (default task-16) type=LOGIN_ERROR,
realmId=master, clientId=security-admin-console, userId=null, ipAddress= local_ip_b,
error=invalid_redirect_uri,
redirect_uri=https://public_ip_b:8443/auth/admin/master/console/
7. I tried to add https://public_ip_b:8443/auth/* to security-admin-console setting, but
got no luck…
5:23 a.m.
Hello,
I found a mistake in my configuration below and have solved it.
In #4, the default-provider should be “fixed".
Thanks for your time.
Thanks,
Yang
On Jul 15, 2019, at 23:03, Yang Yang <yy8402(a)icloud.com>
wrote:
Hello,
I am trying to make keycloak work behind a Nginx proxy with HTTPS, but got an redirect
issue. Could you help to shed some light?
1. keycloak in standalone mode is installed on local_ip_a and public_ip_a, while Nginx is
on local_ip_b and public_ip_b. local_ip_a and local_ip_b are in the same subnet.
2. keycloak works fine with https when I reach it with local_ip_a or public_ip_a,
following guide here
<https://www.keycloak.org/docs/6.0/server_installation/index.html#enabling...
...
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="secret"
/>
</ssl>
</server-identities>
</security-realm>
…
<server name="default-server">
<http-listener name="default"
socket-binding="http" redirect-socket="https"
enable-http2="true"/>
<https-listener name="https"
socket-binding="https" security-realm="UndertowRealm"
enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
...
3. my nginx configuration for keycloak is as below:
…
server {
listen 8443 ssl;
...
location /auth/ {
proxy_pass https://local_ip_a:8443/auth/
<https://local_ip_a:8443/auth/>;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
…
4. I set the fixed provide following this
<https://github.com/keycloak/keycloak-documentation/blob/6.0.1/server_admi...;:
<spi name="hostname">
<default-provider>request</default-provider>
<provider name="fixed" enabled="true">
<properties>
<property name="hostname"
value="public_ip_b"/>
<property name="httpPort" value="-1"/>
<property name="httpsPort"
value="-1"/>
</properties>
</provider>
</spi>
5. I was able to get the keycloak welcome page at https://public_ip_b:8443/auth/
<https://public_ip_b:8443/auth/>;, but when accessing
https://public_ip_b:8443/auth/admin <https://public_ip_b:8443/auth/admin>;, I was
redirected to https://public_ip_b:8443/auth/admin/master/console/
<https://public_ip_b:8443/auth/admin/master/console/> and then to the following
address:
https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?c...
<https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?c...
6. The keycloak message tells:
22:19:44,848 WARN [org.keycloak.events] (default task-16) type=LOGIN_ERROR,
realmId=master, clientId=security-admin-console, userId=null, ipAddress= local_ip_b,
error=invalid_redirect_uri,
redirect_uri=https://public_ip_b:8443/auth/admin/master/console/
<https://public_ip_b:8443/auth/admin/master/console/>
7. I tried to add https://public_ip_b:8443/auth/* <https://public_ip_b:8443/auth/*>
to security-admin-console setting, but got no luck…
<Screen Shot 2019-07-15 at 22.54.58.png>
2068
days inactive
2069
days old
1 comments
1 participants
participants (1)
-
Yang Yang