Configure reverse-proxy for Keycloak docker with c

2019-03-11 04:11发布

站内问答 / Docker
1104 2 4

How can I set the docker keycloak base url as parameter ?

I have the following nginx reverse proxy configuration:

server {
    listen 80;
    server_name example.com;

    location /keycloak {
        proxy_pass http://example.com:8087/;
    }
}

When I try to access http://example.com/keycloak/ I got a keycloak http redirect to http://example.com/auth/ instead of http://example.com/keycloak/auth/

Any ideas?

2条回答
成全新的幸福
2楼-- · 2019-03-11 04:40

Just tested that @home, and actually multiple configuration additions are needed:

1/ Run the keycloak container with env -e PROXY_ADDRESS_FORWARDING=true as explained in the docs, this is required in a proxy way of accessing to keycloak:

docker run -it --rm -p 8087:8080 --name keycloak -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:latest

Also explained in this SO question

2/ Change the web-context inside keycloak's configuration file $JBOSS_HOME/standalone/configuration/standalone.xml

Default keycloak configuration points to auth

<web-context>auth</web-context>

Then you could change it to keycloak/auth

<web-context>keycloak/auth</web-context>

If you need to automate this for docker, just create a new keycloak image :

FROM jboss/keycloak:latest

USER jboss

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml

3/ Add some proxy information to nginx configuration (mostly for http / https handling)

location /keycloak {
    proxy_pass http://example.com:8087;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

If you are proxying requests from nginx to keycloak on same server, I recommend using proxy_pass http://localhost:8087;, and if not try to use a private network to avoid proxying through external web requests.

Hope this helps

查看更多
0人赞 添加讨论(0) 举报
劫难
3楼-- · 2019-03-11 04:53

Building on @Francois Maturel's response: for the latest Keycloak (currently 4.8.x), I had to add an additional line to replace the web-context in standalone-ha.xml as well:

FROM jboss/keycloak:latest
USER jboss
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml

The reason is that the docker-entrypoint.sh startup script will use standalone-ha.xml configuration in addition to standalone.xml unless the -c flag is passed. See here: https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/docker-entrypoint.sh

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)