Configure reverse-proxy for Keycloak docker with custom base URL
How can I set the docker keycloak base url as parameter ?
I have the following nginx reverse proxy configuration:
server {
listen 80
-
Just tested that @home, and actually multiple configuration additions are needed:
1/ Run the keycloak container with env -e PROXY_ADDRESS_FORWARDING=true as explained in the docs, this is required in a proxy way of accessing to keycloak:
docker run -it --rm -p 8087:8080 --name keycloak -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:latestAlso explained in this SO question
2/ Change the web-context inside keycloak's configuration file
$JBOSS_HOME/standalone/configuration/standalone.xmlDefault keycloak configuration points to
auth<web-context>auth</web-context>Then you could change it to
keycloak/auth<web-context>keycloak/auth</web-context>If you need to automate this for docker, just create a new keycloak image :
FROM jboss/keycloak:latest USER jboss RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml3/ Add some proxy information to nginx configuration (mostly for http / https handling)
location /keycloak { proxy_pass http://example.com:8087; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }If you are proxying requests from nginx to keycloak on same server, I recommend using
proxy_pass http://localhost:8087;, and if not try to use a private network to avoid proxying through external web requests.Hope this helps
讨论(0) -
In my case, I have an existing Keycloak (v8.0.1) on Docker, so I had to update the database as well.
Launch Keycloak Docker container with the following environment variable:
PROXY_ADDRESS_FORWARDING: 'true'
Update the database. I'm using Postgres.
psql -U keycloak -d keycloak
update realm set ssl_required='NONE';
Restart Keycloak
Example for Postgres DB, by Sairam Krish
讨论(0) -
Building on @Francois Maturel's response: for the latest Keycloak (currently 4.8.x), I had to add an additional line to replace the
web-contextinstandalone-ha.xmlas well:FROM jboss/keycloak:latest USER jboss RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xmlThe reason is that the
docker-entrypoint.shstartup script will usestandalone-ha.xmlconfiguration in addition tostandalone.xmlunless the-cflag is passed. See here: https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/docker-entrypoint.sh讨论(0) -
i can also confirm that when using docker image keycloak 6.0.1 standalone-ha.xml file also needs to be changed using the sed command...
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml讨论(0) -
The redirekt from "/keycloak" to "/keycloak/auth" isnt working. The Redirekt Route in index.html and Base-URL is missing the "/keycloak" part. I had to add this:
FROM jboss/keycloak:latest USER jboss RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone.xml RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml RUN sed -i -e 's/\/auth/\/keycloak\/auth"/' $JBOSS_HOME/welcome-content/index.html讨论(0)
加载中...
- 热议问题