We are using Keycloak 2.0.0.Final installed behind a nginx proxy on a RedHat environment.

We are currently facing a problem with the Reset Password functionality which send an email with the internal server host instead of the external one in the action URL as we are behind a proxy.

I receive this by email: https://internal/auth/realms/MYREALM/login-actions/reset-credentials?code=wYhHP(...) but the end user should see https://external/auth/realms/MYREALM/login-actions/reset-credentials?code=wYhHP(...). The whole proxy settings work perfectly otherwise, it's basically an URL rewriting function.

I found this ticket relating a similar case but the solution isn't ideal: http://lists.jboss.org/pipermail/keycloak-user/2015-October/003428.html

Any hidden properties, settings we could use or solution to fix this issue?

Thanks

Nginx sets the emailed URL prefix from the contents of the Host header, so your nginx proxy needs to be configured to pass the Host header intact.

Something like this:

proxy_pass        <your internal keycloak URL or IP address>
...
proxy_set_header  Host            $host;
proxy_set_header  X-Real-IP       $remote_addr;
proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
... 

You may also need to set X-forwarded-proto if your internal URL is not https