Thanks to “raohammad”, I figured it out.
This setup is for the following flow:
[x509 certificate authentication]
[Nginx Docker container]
[Keycloak Docker container]
Client go to → localhost:6001 (nginx docker port forwarder)
Docker Nginx forwards 6001 → 26001 (the port specified in the Nginx Config below)
Nginx forwards 26001 → localhost:6002 (keycloak docker port forwarder)
Docker keycloak forwards 6002 → 8080 (keycloak default http port)
The flow is complicated and weird, I know… but here are the steps I did to get it up:
- Docker run Keycloak (you can modify the image but I will use a raw keycloak image here)
docker run -p 6002:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e PROXY_ADDRESS_FORWARDING=true --name keycloak Quay
// Note that the “PROXY_ADDRESS_FORWARDING=true” is extremely important! This will apply the “https” to the URL of the “Administration Console” button
// Keycloak is now done and ready. No more work needs to be done.
- Create the NGINX config
server {
listen 26001 ssl http2;
listen [::]:26001 ssl http2;
server_name localhost;
ssl on;
ssl_certificate /PATH/TO/YOUR/CERT/HERE
ssl_certificate_key /PATH/TO/YOUR/KEY/HERE
include /opt/app-root/etc/nginx.d/verify-client.frag;
location / {
proxy_pass host.docker.internal:6002;
proxy_set_header Host $host:6001;
proxy_set_header X-Forwarded-For $host;
proxy_set_header X-Forwarded-Proto $scheme;
add_header X-Frame-Options “”;
}
}
// Notice that I hard-coded the 6001; I am not an nginx-pro, but this attaches the “6001” port to the “Administration Console” button; if there is a better way to do it, I would like to hear it
// add_header X-Frame-Options “”; is to resolve the X-Frame-Options issue (my main one is set to SAMEORIGIN, but my application and nginx does not consist of same port, thus it isnt same origin, thus i cannot perform Keycloak.init() in my frontend. This will allow it to work
- Docker run the Nginx Container
- End-user now go to localhost:6001 and everything should work