Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

keycloak 17 behind nginx reverse proxy redirects admin console to port 443 instead of 8444

See original GitHub issue

Describe the bug

Hi, I setup keycloak 17 on Ubuntu 20.04, openjdk-11-jre and reverse peroxided by nginx 1.18.0. It’s this setup is okay on production https port 443, but when I try change it and serve it on different port for example 8444 it doesn’t work and redirects to 443! Screenshot_20220307_181011

Version

Expected behavior

I Expected to redirects me to nginx port which I was serving 8444

Actual behavior

But it redirects me to port 443

How to Reproduce?

Download Keycloak 17 and install openjdk-11-jre & nginx 1.18.0 on Ubuntu 20.04. create TLS certificates and run in production mode with these configurations.

db-url-host=10.10.10.10 # postgres server
db=postgres
db-username=keycloak
db-password=keycloak
hostname=key-test.xxxxxxxxx.ir
http-enabled=true
https-certificate-file=/etc/ssl/certs/pem.pem
https-certificate-key-file=/etc/ssl/private/key.key
https-port=8443
proxy=passthrough

and this Nginx configuration:

## 
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}
upstream keykloack{
  server key-test.xxxxxxxxx.ir:8443;
}

server {
  listen 80;
  server_name key-test.xxxxxxxxx.ir;
  return 301 https://$server_name:8444$request_uri;
}

server {
  listen 8444 ssl http2;
  server_name  key-test.xxxxxxxxx.ir;

  ssl_certificate     /etc/ssl/certs/pem.pem;
  ssl_certificate_key /etc/ssl/private/key.key;

  error_page 497 https://$server_name:8444$request_uri;

  location / {
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
    proxy_pass https://keykloack;
  }
}

Anything else?

I look for it on documentation but didn’t found any thing relative to s, once again thank you guys for help and support 😃

Issue Analytics

State:
Created 2 years ago
Comments:17 (2 by maintainers)

Top GitHub Comments

8reactions

timoschluetercommented, Mar 31, 2022

I can confirm that 17.0.0 and 17.0.1 seem to work differently. On 17.0.1 we get the blank admin page with our configuration but with 17.0.0 it works just fine. Is there a best practice configuration example for keycloak 17.0.1 behind a reverse proxy (nginx in our case?)

6reactions

sheinbergoncommented, Jul 11, 2022

Breaking update!!! I got stuff working (finally)

These are my final environment variable definition:

  KC_FEATURES: token-exchange,grained-authz
  KC_DB: postgres
  KC_DB_URL: jdbc:postgresql:/*****:5432/keycloak
  KC_DB_USERNAME: ****
  KC_DB_PASSWORD: ****
  KC_HTTP_ENABLED: true
  KC_HOSTNAME_STRICT_HTTPS: true
  KC_HOSTNAME: ******
  KEYCLOAK_ADMIN: keycloak
  KEYCLOAK_ADMIN_PASSWORD: ****

And I also changed the docker entrypoint by setting

entrypoint: ["/opt/keycloak/bin/kc.sh", "start" ,"--auto-build","--proxy","edge"]

Of course, I’m also forwarding all of required headers from nginx.

So what’s broken:

KC_PROXY stopped working properly starting with 17.0.1. This is yet to be fixed. So be sure to specify the --proxy mode using the entrypoint.
When working with Nginx Reverse Proxy, specify KC_HOSTNAME_PORT seems to break the deployment, so be sure it’s absent. See https://github.com/keycloak/keycloak/issues/11083