I'm trying to setup Keycloak on a root server but I cannot access the admin console from the internet. I've installed the keycloak server and put it behind an nginx reverse proxy on the same machine. I've setup a letsencrypt cert for the domain. I've also setup the admin user for keycloak via script.
When I visit the server with it's domain https://<my-domain>
I'm forwarded to https://<my-domain>/auth
and there is the keycloak welcome page with a link to "Administration Console". This link points to https://<my-domain>/admin
but shows a 404.
At first I thought this might be a problem with nginx so I followed the guide in the docs to setup a load-balancer (https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy). There, under "Verify Configuration" it tells you to open the path https://<my-domain>/auth/realms/master/.well-known/openid-configuration
which works as expected and I get a json file with several links and other information in it. However, none of those links do work - all give me a 404.
When I try https://<my-domain>/auth/realms/master
I get a JSON response.
So some links do work so I think it's not a problem with nginx but with keycloak itself.
So the basic question is: How do I configure Keycloak so that I can access the admin console via internet? I've read that by default you can only access it on localhost but there must be a way to overwrite this default?
The relevant nginx config:
upstream keycloak {
server 127.0.0.1:8080;
}
server {
listen 443 ssl http2;
# some ssl configuration for letsencrypt
location / {
proxy_pass http://keycloak;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Some parts in keycloak/standalone/configuration/standalone.xml
that I've edited:
<subsystem xmlns="urn:jboss:domain:undertow:10.0" ...>
...
<server name="default-server">
<http-listener name="default"
socket-binding="http"
redirect-socket="proxy-https"
enable-http2="true"
proxy-address-forwarding="true" />
...
</server>
...
</subsystem>
...
<interfaces>
<interface name="management">
<any-address />
</interface>
<interface name="public">
<any-address />
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" ...>
...
<socket-binding name="proxy-https" port="443" />
...
</socket-binding-group>
EDIT
I was able to fix it. The problem was that keycloak was redirecting the initial page from https://<my-domain>/
to https://<my-domain>/auth
but then in all other links this additional /auth
was missing. So the admin link was pointing to https://<my-domain>/admin/master/console
without the /auth
part and this page wasn't existing. When I was manually typing the URL with /auth
in it I got a page with a "loading.." message but all style and JavaScript files linked where also missing the /auth
part in their URLs so nothing was working.
To fix this I had now changed in standalone.xml
the line <web-context>auth</web-context>
to <web-context>/</web-context>
and now everything behaves as expected. There is no redirecting anymore at the start page and all links do work without the /auth
part in it.
However, it would be interesting why it wasn't working in the first place and how one solve this if the /auth
redirection was intended.
To access the admin console, open http://localhost:8080/auth/admin/ in a browser. You will be redirected to the Keycloak login pages, where you can log in with the admin username and password you created in the previous section while installing Keycloak.
Keycloak Admin Console login Note: The default user name for the Keycloack administrator is admin. The password is randomly generated when the software is installed. To see the password, find KEYCLOAK_ADMIN_SECRET in the .
You helped me solve my issue. I was setting the java system property keycloak.frontendUrl
(or env KEYCLOAK_FRONTEND_URL
), and apparently it wants a full url, not just the hostname. Appending /auth
fixed my redirect problems.
It looks like keycloak.hostname.fixed.hostname
(KEYCLOAK_HOSTNAME
) may also cause problems if /auth
isn't appended.
See docs for details on the hostname provider here: https://www.keycloak.org/docs/latest/server_installation/index.html#hostname
I had the same issue with keycloak instances behind nginx reverse proxy in my kubernetes cluster. I fixed it by setting the env PROXY_ADDRESS_FORWARDING to true. PROXY_ADDRESS_FORWARDING=true
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With