Nginx – Keycloak Redirect url with nginx is going to http rather than https

jbossnginx

Keycloak is using reverse proxy with nginx configuration to be available in ssl(https).
Now i have deployed .net core aplication in ubuntu.
This application is in http and is using keycloak as openid connect for authentication.

However, when the aplication is hosted in https using nginx, keycloak is showing invalid redirect url instead of login page.
Keycloak login url page contains redirect_uri parameter with http instead of https. Please help to resolve
Configuration done in configuration file in nginx for reverse proxy

server {

 listen 443  ssl;

 server_name  abc.ctech.com;

 ssl_certificate /etc/nginx/external/wildcard_ctech_com.pem;

 ssl_certificate_key /etc/nginx/external/private.rsa;


location / {


   proxy_http_version 1.1;

   proxy_set_header Host abc.ctech.com; 

  proxy_set_header X-Real-IP $remote_addr;

   proxy_set_header X-Forwarded-Proto https;

   proxy_set_header X-Forwarded-Port 443;

   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  

proxy_pass http://172.30.5.28:8001; 


  }

}

#Keycloak Service
server {

  listen 443  ssl;

  server_name  keycloak.ctech.com; 

 ssl_certificate /etc/nginx/external/wildcard_ctech_com.pem;

  ssl_certificate_key /etc/nginx/external/private.rsa;

location = / {

  return 301 https://keycloak.ctech.com/auth;
} 

location /auth {

  proxy_pass http://172.30.5.28:8080/auth;

  proxy_http_version 1.1;

  proxy_set_header Host keycloak.ctech.com;  

  proxy_set_header X-Real-IP $remote_addr;

  proxy_set_header X-Forwarded-Proto https;

  proxy_set_header X-Forwarded-Port 443;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  }
}

Best Answer

I've been fighting with clustered keycloak in docker swarm mode for a long time now. Ubunter's answer is the same as in the docs, but doing that still didn't fix things for me.

What I had to do to make it work with the current jboss/keycloak:latest docker image, (:9.0.3) was to use the environment variable KEYCLOAK_FRONTEND_URL.

Before adding that, it still kept issuing http URLs to the main /auth/js/keycloak.js?version=czy98 javascript:

...
    <!-- Libraries not managed by yarn -->
    <script src="/auth/resources/czy98/admin/keycloak/lib/angular/ui-bootstrap-tpls-0.11.0.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/angular/treeview/angular.treeview.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/fileupload/angular-file-upload.min.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/filesaver/FileSaver.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/ui-ace/min/ace.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/ui-ace/ui-ace.min.js"></script>

    <script src="http://my.server.name.here/auth/js/keycloak.js?version=czy98" type="text/javascript"
></script>

    <script src="/auth/resources/czy98/admin/keycloak/js/app.js" type="text/javascript"></script>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/realm.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/clients.js" type="text/javascript"></s
cript>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/users.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/groups.js" type="text/javascript"></sc
ript>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/roles.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/loaders.js" type="text/javascript"></script>
    <script src="/auth/resources/czy98/admin/keycloak/js/services.js" type="text/javascript"></script>
...

It also generated http in the inline javascript:

    <script type="text/javascript">
        var authServerUrl = 'http://my.server.name.here/auth';
        var authUrl = 'http://my.server.name.here/auth';
        var consoleBaseUrl = '/auth/admin/master/console/';
        var resourceUrl = '/auth/resources/czy98/admin/keycloak';
        var masterRealm = 'master';
        var resourceVersion = 'czy98';
    </script>

Despite X-Forwarded-Proto: https and the other required things in the standalone-ha.xml

Related Solutions

Ubuntu – Haproxy 1.4 connecting to an https backend servers

Will your clients be using https://myfakepage.com:80 as the url? If not then what you are doing is largely pointless. You are working on an unencrypted connection to the front-end and then an encrypted connection to the backend. The problem is that when the connection goes back to the client, it will be unencrypted so you're not buying yourself anything. If your clients will be using https://pmyfakepage.com:80 then there's nothing to do because haproxy will already be acting as a pass-through for the https traffic.

Are you trying to do SSL termination on the load balancer, if so you're doing it backwards

Your bind secion would look something like

frontend ssl-site
bind *:443 ssl crt /path/to/bundle.pem  #you need to make sure the whole cert path is in one pem file
reqadd X-Forwarded-Proto:\ https
default_backend myServers

backend myServers
balance roundrobin
server server1 www.example.com:80
server server2 www2.example.com:80

but as dtorgo stated, ssl termination in this manner only works on 1.5 and above. Another option if you find stunnel too slow is stud.

Hope this clears things up for ya.

Best Answer

Related Solutions

Ubuntu – Haproxy 1.4 connecting to an https backend servers

Related Topic