Hello,
I am trying to make keycloak work behind a Nginx proxy with HTTPS, but got an redirect
issue. Could you help to shed some light?
1. keycloak in standalone mode is installed on local_ip_a and public_ip_a, while Nginx is
on local_ip_b and public_ip_b. local_ip_a and local_ip_b are in the same subnet.
2. keycloak works fine with https when I reach it with local_ip_a or public_ip_a,
following guide here
<
https://www.keycloak.org/docs/6.0/server_installation/index.html#enabling...
...
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="secret"
/>
</ssl>
</server-identities>
</security-realm>
…
<server name="default-server">
<http-listener name="default" socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https"
security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
...
3. my nginx configuration for keycloak is as below:
…
server {
listen 8443 ssl;
...
location /auth/ {
proxy_pass
https://local_ip_a:8443/auth/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
…
4. I set the fixed provide following this
<
https://github.com/keycloak/keycloak-documentation/blob/6.0.1/server_admi...;:
<spi name="hostname">
<default-provider>request</default-provider>
<provider name="fixed" enabled="true">
<properties>
<property name="hostname"
value="public_ip_b"/>
<property name="httpPort" value="-1"/>
<property name="httpsPort" value="-1"/>
</properties>
</provider>
</spi>
5. I was able to get the keycloak welcome page at
https://public_ip_b:8443/auth/, but when
accessing
https://public_ip_b:8443/auth/admin, I was redirected to
https://public_ip_b:8443/auth/admin/master/console/ and then to the following address:
https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?c...
6. The keycloak message tells:
22:19:44,848 WARN [org.keycloak.events] (default task-16) type=LOGIN_ERROR,
realmId=master, clientId=security-admin-console, userId=null, ipAddress= local_ip_b,
error=invalid_redirect_uri,
redirect_uri=https://public_ip_b:8443/auth/admin/master/console/
7. I tried to add
https://public_ip_b:8443/auth/* to security-admin-console setting, but
got no luck…