Answer a question

How do you correctly configure NGINX as a proxy in front of Keycloak?

Asking & answering this as doc because I've had to do it repeatedly now and forget the details after a while.

This is specifically dealing with the case where Keycloak is behind a reverse proxy e.g. nginx and NGINX is terminating SSL and pushing to Keycloak. This is not the same issue as keycloak Invalid parameter: redirect_uri although it produces the same error message.

Answers

The key to this is in the docs at https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses

The proxy-address-forwarding must be set as well as the various X-... headers.

If you're using the Docker image from https://hub.docker.com/r/jboss/keycloak/ then set the env. arg -e PROXY_ADDRESS_FORWARDING=true.

server {
  server_name api.domain.com;

  location /auth {
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    proxy_pass          http://localhost:8080;
    proxy_read_timeout  90;

 }

  location / {
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    proxy_pass          http://localhost:8081;
    proxy_read_timeout  90;
  }



    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/api.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/api.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = api.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  server_name api.domain.com;
    listen 80;
    return 404; # managed by Certbot
}

If you're using another proxy the important parts of this is the headers that are being set:

proxy_set_header        Host $host;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto $scheme;

Apache, ISTIO and others have their own means of setting these.

# nginx
Logo
开发云

开发云社区提供前沿行业资讯和优质的学习知识,同时提供优质稳定、价格优惠的云主机、数据库、网络、云储存等云服务产品

更多推荐

负载均衡/路由一个使用socketio和flask制作的应用

问题:负载均衡/路由一个使用socketio和flask制作的应用 在部署 Web 应用程序方面,我有点菜鸟,我想确保我正在构建的一个小应用程序能够与我正在尝试使用的技术一起使用。 我对烧瓶有一些经验,但只使用过测试服务器。我的理解是,使用 nginx 或 apache,如果我编写一个烧瓶应用程序,每个访问我的网站的用户都可以获得一个烧瓶应用程序的不同实例,具体如何工作让我有点困惑。 我想做的应用

avatar 开发云

Nginx 重写规则没有按预期工作

问题:Nginx 重写规则没有按预期工作 我有一个网站https://dev.mywebsite.com/index.php?album=portraits,它根据 POST 值动态显示相册。 我想将此 URL 重写为:https://dev.mywebsite.com/portraits 但是我的 Nginx 重写规则不起作用。当我输入https://dev.mywebsite.com/inde

avatar 开发云

MySQL远程时缓存如何工作?

问题:MySQL远程时缓存如何工作? 我一直在使用 PHP 5.6 进行旧电子商务应用程序的服务器迁移。 切换涉及来自 Linode 的两台 Dedicated 32 服务器。 一台服务器用于 NginX + PHP,另一台仅用于 MySQL。 遗留应用程序利用 memcached。 切换后,我可以看到由于私有入站和出站连接导致的大量内部流量。 到目前为止,这个元素没有对性能造成任何问题。 但是,

avatar 开发云