Configure reverse-proxy for Keycloak docker with custom base URL

docker nginx keycloak

Solution 1:

Just tested that @home, and actually multiple configuration additions are needed:

1/ Run the keycloak container with env -e PROXY_ADDRESS_FORWARDING=true as explained in the docs, this is required in a proxy way of accessing to keycloak:

docker run -it --rm -p 8087:8080 --name keycloak -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:latest

Also explained in this SO question

2/ Change the web-context inside keycloak's configuration file $JBOSS_HOME/standalone/configuration/standalone.xml

Default keycloak configuration points to auth

<web-context>auth</web-context>

Then you could change it to keycloak/auth

<web-context>keycloak/auth</web-context>

If you need to automate this for docker, just create a new keycloak image :

FROM jboss/keycloak:latest

USER jboss

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml

3/ Add some proxy information to nginx configuration (mostly for http / https handling)

location /keycloak {
    proxy_pass http://example.com:8087;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

If you are proxying requests from nginx to keycloak on same server, I recommend using proxy_pass http://localhost:8087;, and if not try to use a private network to avoid proxying through external web requests.

Hope this helps

Solution 2:

The redirect from /keycloak to /keycloak/auth isn't working. The redirect route in index.html and Base-URL is missing the /keycloak part. I had to add this:

FROM jboss/keycloak:latest

USER jboss

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/\/auth/\/keycloak\/auth/' $JBOSS_HOME/welcome-content/index.html
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/domain/configuration/domain.xml

Solution 3:

Building on @Francois Maturel's response: for the latest Keycloak (currently 4.8.x), I had to add an additional line to replace the web-context in standalone-ha.xml as well:

FROM jboss/keycloak:latest
USER jboss
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/\/auth/\/keycloak\/auth/' /opt/jboss/keycloak/welcome-content/index.html

The reason is that the docker-entrypoint.sh startup script will use standalone-ha.xml configuration in addition to standalone.xml unless the -c flag is passed. See here: https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/docker-entrypoint.sh

Solution 4:

i can also confirm that when using docker image keycloak 6.0.1 standalone-ha.xml file also needs to be changed using the sed command...

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml

Solution 5:

In my case, I have an existing Keycloak (v8.0.1) on Docker, so I had to update the database as well.

  1. Launch Keycloak Docker container with the following environment variable:

    PROXY_ADDRESS_FORWARDING: 'true'

  2. Update the database. I'm using Postgres.

    psql -U keycloak -d keycloak

    update realm set ssl_required='NONE';

  3. Restart Keycloak

Example for Postgres DB, by Sairam Krish

Related

How do we use restful APIs from Excel macros (vba)?
adding .css file to ejs
Paint Pixels to Screen via Linux FrameBuffer
How to read the contents of an .sql file into an R script to run a query?
How to find the amount of free storage (disk space) left on Android? [duplicate]
Which recursive functions cannot be rewritten using loops? [duplicate]
Prevent iOS bounce without disabling scroll ability
What should be the optimal value for spark.sql.shuffle.partitions or how do we increase partitions when using Spark SQL?
Delphi: Understanding constructors
what is new() in Typescript?
Why use the Bitwise-Shift operator for values in a C enum definition?
AuthenticateRequest event