Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Admin console does not work with reverse proxy

See original GitHub issue

Describe the bug

With a past Keycloak version (16.1.1), I was able to proxy everything Keycloak related (/admin, /auth) under the path /keycloak on my host. I currently struggle to achieve the same with 18.0.

Version

18.0

Expected behavior

I expect that /admin can be proxied under a path (e.g., /keycloak) on my host as before.

Actual behavior

Attempt 1: Use `--hostname-path`

I start Keycloak with kc.sh start proxy=edge --hostname-path=keycloak --http-enabled=true and set the hostname via ENV KC_HOSTNAME. My reverse proxy config is /keycloak -> http://local-keycloak:8080. Navigating to /keycloak shows the landing page and e.g., resources are correctly loaded from /keycloak/resources as expected. However, the href emitted for the admin console link does not honer the provided hostname-path and points to /admin on my host. Navigating manually to /keycloak/admin/master/console/ yields a broken page as the resources are now loaded from /resources on my host, what is quite strange as on the login page the --hostname-path was honored.

Attempt 2: Use `--http-relative-path`

I build Keycloak with --http-relative-path=keycloak and start Keycloak with kc.sh start proxy=edge --http-enabled=true and set the hostname via ENV KC_HOSTNAME. Reverse proxy setting is now /keycloak http://local-keycloak:8080/keycloak. Again, navigating to /keycloak shows the landing page and e.g., resources are correctly loaded from /keycloak/resources as expected. Clikcing on the admin console redirects me to /keycloak/admin/master/console/, but now the page is white and starts refreshing every couple of seconds.

How to Reproduce?

Please refer to this repo I created to reproduce the problem.

Anything else?

While searching around, a couple of people suggested to use --hostname-admin but this gives me an unknown option error.

I see two ways to work around this:

I go with attempt 1. and proxy /admin etc on my host to the container , however, this would make using the /keycloak path in the first place kind of useless.
I move the keycloak to a dedicated subdomain e.g., auth.example.org and do not rely on proxied paths altogether, but this would require a couple of changes in production what I would really like to avoid.

Issue Analytics

State:
Created a year ago
Reactions:2
Comments:20 (6 by maintainers)

Top GitHub Comments

2reactions

omasseaucommented, May 30, 2022

Problem solved for me after removing the KC_HOSTNAME_PORT=443 variable from the config :

KC_HTTP_ENABLED=true
KC_PROXY=passthrough
KC_HOSTNAME=localhost
KC_HOSTNAME_STRICT=false
KC_HOSTNAME_STRICT_HTTPS=false
KC_HTTP_RELATIVE_PATH=/auth

It now works both in http and https.

This is weird as when calling https://localhost/auth the port is by default 443, which clearly matches the value of KC_HOSTNAME_PORT. So I don’t understand why setting explicitely KC_HOSTNAME_PORT=443 is a problem.

1reaction

pedroigorcommented, Jun 14, 2022

@JonasCir Created https://github.com/keycloak/keycloak/issues/12506.