Using Keycloak behind a reverse proxy: Could not open Admin loginpage because mixed Content

Question

so I have a problem getting keycloak 3.2.1 to work behind kong (0.10.3), a reverse proxy based on nginx.

Scenario is:

I call keycloak via my gateway-route via https://{gateway}/auth and it shows me the entrypoint with keycloak logo, link to admin console etc. - so far so good.

But when clicking on administration console -> calling https://{gateway}/auth/admin/master/console/ , keycloak tries to load its css/js via http (see screenie below), which my browser blocks because mixed content.

I searched around and found this thread: keycloak apache server configuration with 'Mixed Content' problems which lead to this github repo: https://github.com/dukecon/keycloak_postgres_https

From there on, I tried to integrate its' cli into my dockerfile with success (did not change the files' contents, just copied them into my repo and add/run them from dockerfile). This is my dockerfile right now:

FROM jboss/keycloak-postgres:3.2.1.Final  USER root  ADD config.sh /tmp/ ADD batch.cli /tmp/  RUN bash /tmp/config.sh  #Give correct permissions when used in an OpenShift environment. RUN chown -R jboss:0 $JBOSS_HOME/standalone && \     chmod -R g+rw $JBOSS_HOME/standalone  USER jboss EXPOSE 8080 

Sadly, my problem still exists:

So I am out of ideas for now and hope you could help me out:

• How do I tell keycloak to call its' css-files via https here?

• do I have to change something in the cli script?

Here's the content of the script:

config.sh:

#!/bin/bash -x  set -e  JBOSS_HOME=/opt/jboss/keycloak JBOSS_CLI=$JBOSS_HOME/bin/jboss-cli.sh JBOSS_MODE=${1:-"standalone"} JBOSS_CONFIG=${2:-"$JBOSS_MODE.xml"}  echo "==> Executing..." cd /tmp  $JBOSS_CLI --file=`dirname "$0"`/batch.cli  # cf. http://stackoverflow.com/questions/34494022/permissions-error-when-using-cli-in-jboss-wildfly-and-docker /bin/rm -rf ${JBOSS_HOME}/${JBOSS_MODE}/configuration/${JBOSS_MODE}_xml_history/current 

and batch.cli:

embed-server --std-out=echo  # http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html # 3.2.7.2. Enable SSL on a Reverse Proxy # First add proxy-address-forwarding and redirect-socket to the http-listener element. # Then add a new socket-binding element to the socket-binding-group element.  batch  /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)  /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)  /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)  run-batch  stop-embedded-server 

It may be of interest too, that kong is deployed on openshift with a route using a redirect from http to https ( "insecureEdgeTerminationPolicy": "Redirect" ).

Answer 1

This sounds somehow like a duplicate of Keycloak Docker behind loadbalancer with https fails

Set the request headers X-Forwarded-For and X-Forwarded-Proto in nginx. Then you have to configure Keycloak (Wildfly, Undertow) to work together with the SSL terminating reverse proxy (aka load balancer). See http://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy for a detailed description.

The point is that nginx is terminating SSL and is forwarding the requests to Keycloak as pure http. Therefore Keycloak/Wildfly must be told that the incoming http requests from nginx must be handled like they were https.

Answer 2

Add the X-Forwarded-For and X-Forwarded-Proto headers (as Boomer said) in all upstream load balancers and make sure those reach Keycloak server. X-Forwarded-For should be the domain of your Keycloak which routes to the LB and X-Forwarded-Proto should be the protocol (most of the cases https).

As a final step you need to modify standalone.xml or standalone-ha.xml file and add the proxy-address-forwarding="true" attribute to <http-listener> element under <server>.

If you are using Docker you can use PROXY_ADDRESS_FORWARDING environment var from the original Keycloak container to set this attribute.