Keycloak Redirect url with nginx is going to http rather than https

Question

Keycloak is using reverse proxy with nginx configuration to be available in ssl(https). Now i have deployed .net core aplication in ubuntu. This application is in http and is using keycloak as openid connect for authentication.

However, when the aplication is hosted in https using nginx, keycloak is showing invalid redirect url instead of login page. Keycloak login url page contains redirect_uri parameter with http instead of https. Please help to resolve Configuration done in configuration file in nginx for reverse proxy

server {

 listen 443  ssl;

 server_name  abc.ctech.com;

 ssl_certificate /etc/nginx/external/wildcard_ctech_com.pem;

 ssl_certificate_key /etc/nginx/external/private.rsa;


location / {


   proxy_http_version 1.1;

   proxy_set_header Host abc.ctech.com; 

  proxy_set_header X-Real-IP $remote_addr;

   proxy_set_header X-Forwarded-Proto https;

   proxy_set_header X-Forwarded-Port 443;

   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  

proxy_pass http://172.30.5.28:8001; 


  }

}

#Keycloak Service
server {

  listen 443  ssl;

  server_name  keycloak.ctech.com; 

 ssl_certificate /etc/nginx/external/wildcard_ctech_com.pem;

  ssl_certificate_key /etc/nginx/external/private.rsa;

location = / {

  return 301 https://keycloak.ctech.com/auth;
} 

location /auth {

  proxy_pass http://172.30.5.28:8080/auth;

  proxy_http_version 1.1;

  proxy_set_header Host keycloak.ctech.com;  

  proxy_set_header X-Real-IP $remote_addr;

  proxy_set_header X-Forwarded-Proto https;

  proxy_set_header X-Forwarded-Port 443;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  }
}

Answer 1

I've been fighting with clustered keycloak in docker swarm mode for a long time now. Ubunter's answer is the same as in the docs, but doing that still didn't fix things for me.

What I had to do to make it work with the current jboss/keycloak:latest docker image, (:9.0.3) was to use the environment variable KEYCLOAK_FRONTEND_URL.

Before adding that, it still kept issuing http URLs to the main /auth/js/keycloak.js?version=czy98 javascript:

...
    <!-- Libraries not managed by yarn -->
    <script src="/auth/resources/czy98/admin/keycloak/lib/angular/ui-bootstrap-tpls-0.11.0.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/angular/treeview/angular.treeview.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/fileupload/angular-file-upload.min.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/filesaver/FileSaver.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/ui-ace/min/ace.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/ui-ace/ui-ace.min.js"></script>

    <script src="http://my.server.name.here/auth/js/keycloak.js?version=czy98" type="text/javascript"
></script>

    <script src="/auth/resources/czy98/admin/keycloak/js/app.js" type="text/javascript"></script>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/realm.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/clients.js" type="text/javascript"></s
cript>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/users.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/groups.js" type="text/javascript"></sc
ript>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/roles.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/loaders.js" type="text/javascript"></script>
    <script src="/auth/resources/czy98/admin/keycloak/js/services.js" type="text/javascript"></script>
...

It also generated http in the inline javascript:

    <script type="text/javascript">
        var authServerUrl = 'http://my.server.name.here/auth';
        var authUrl = 'http://my.server.name.here/auth';
        var consoleBaseUrl = '/auth/admin/master/console/';
        var resourceUrl = '/auth/resources/czy98/admin/keycloak';
        var masterRealm = 'master';
        var resourceVersion = 'czy98';
    </script>

Despite X-Forwarded-Proto: https and the other required things in the standalone-ha.xml

Answer 2

You need to proxy pass to https://keycloak_address:8443/auth;. Make sure you have that port open. The below code worked for me.

server {
    listen 80;
    server_name example.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name example.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


    location /auth {
                proxy_pass  https://keycloak_address:8443/auth;
                proxy_set_header    Host                $http_host;
                proxy_set_header    X-Real-IP           $remote_addr;
                proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}