so I have a problem getting keycloak 3.2.1 to work behind kong (0.10.3), a reverse proxy based on nginx.
Scenario is:
I call keycloak via my gateway-route via https://{gateway}/auth
and it shows me the entrypoint with keycloak logo, link to admin console etc. - so far so good.
But when clicking on administration console -> calling https://{gateway}/auth/admin/master/console/
, keycloak tries to load its css/js via http (see screenie below), which my browser blocks because mixed content.
I searched around and found this thread: keycloak apache server configuration with 'Mixed Content' problems which lead to this github repo: https://github.com/dukecon/keycloak_postgres_https
From there on, I tried to integrate its' cli into my dockerfile with success (did not change the files' contents, just copied them into my repo and add/run them from dockerfile). This is my dockerfile right now:
FROM jboss/keycloak-postgres:3.2.1.Final USER root ADD config.sh /tmp/ ADD batch.cli /tmp/ RUN bash /tmp/config.sh #Give correct permissions when used in an OpenShift environment. RUN chown -R jboss:0 $JBOSS_HOME/standalone && \ chmod -R g+rw $JBOSS_HOME/standalone USER jboss EXPOSE 8080
Sadly, my problem still exists:
So I am out of ideas for now and hope you could help me out:
How do I tell keycloak to call its' css-files via https here?
do I have to change something in the cli script?
Here's the content of the script:
config.sh:
#!/bin/bash -x set -e JBOSS_HOME=/opt/jboss/keycloak JBOSS_CLI=$JBOSS_HOME/bin/jboss-cli.sh JBOSS_MODE=${1:-"standalone"} JBOSS_CONFIG=${2:-"$JBOSS_MODE.xml"} echo "==> Executing..." cd /tmp $JBOSS_CLI --file=`dirname "$0"`/batch.cli # cf. http://stackoverflow.com/questions/34494022/permissions-error-when-using-cli-in-jboss-wildfly-and-docker /bin/rm -rf ${JBOSS_HOME}/${JBOSS_MODE}/configuration/${JBOSS_MODE}_xml_history/current
and batch.cli:
embed-server --std-out=echo # http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html # 3.2.7.2. Enable SSL on a Reverse Proxy # First add proxy-address-forwarding and redirect-socket to the http-listener element. # Then add a new socket-binding element to the socket-binding-group element. batch /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) run-batch stop-embedded-server
It may be of interest too, that kong is deployed on openshift with a route using a redirect from http to https ( "insecureEdgeTerminationPolicy": "Redirect" ).
This sounds somehow like a duplicate of Keycloak Docker behind loadbalancer with https fails
Set the request headers X-Forwarded-For
and X-Forwarded-Proto
in nginx. Then you have to configure Keycloak (Wildfly, Undertow) to work together with the SSL terminating reverse proxy (aka load balancer). See http://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy for a detailed description.
The point is that nginx is terminating SSL and is forwarding the requests to Keycloak as pure http. Therefore Keycloak/Wildfly must be told that the incoming http requests from nginx must be handled like they were https.
Add the X-Forwarded-For
and X-Forwarded-Proto
headers (as Boomer said) in all upstream load balancers and make sure those reach Keycloak server. X-Forwarded-For
should be the domain of your Keycloak which routes to the LB and X-Forwarded-Proto
should be the protocol (most of the cases https).
As a final step you need to modify standalone.xml
or standalone-ha.xml
file and add the proxy-address-forwarding="true"
attribute to <http-listener>
element under <server>
.
If you are using Docker you can use PROXY_ADDRESS_FORWARDING
environment var from the original Keycloak container to set this attribute.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With