Man I’m getting upset at this. I’m trying to stand up a new 26 server. I have Keycloak behind a Reverse Proxy handling TLS termination. Certs are valid. I set the HOSTNAME to DOMAIN.TLD and both Keycloak and Nginx containers can reach each other.
So why the hell am I getting “somethingwentwrong” every time I browse to https://DOMAIN.TLD:PORT? Nginx listens on PORT, translates it to 9443, but it isn’t working. proxy=xforwardedfor is set. HTTP enable is set. What is the damn magical combination I need to log in while behind a proxy?
I am new to keycloak. But try proxy-headers=xforwarded
Can you share how did you generate you certs? I am trying to do it as well but get the haproxy error 502.
proxy-headers=xforwarded is set. This setup works on other Keycloak Servers in my lab.
Cert generation was creating a CSR via OpenSSL, then submitting the CSR to a cert authority for a return. The certs are tested and valid for this deployment, and the webpages load fine.
Ok, so pressing F-12 to get the developer page actually gives a useful error for troubleshooting. This is first time setup stuff - no realm import or application import or configuration done. “Fresh OOBE”.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://<DOMAIN>.<TLD>/resources/master/admin/en. (Reason: CORS request did not succeed). Status code: (null).
Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-src) at https://<DOMAIN>.<TLD>/realms/master/protocol/openid-connect/3p-cookies/step1.html because it violates the following directive: “frame-src 'self'”
Relevant Nginx config:
server {
#root /var/www/html;
listen 9443 ssl;
server_name authenticator;
server_tokens off;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag "noindex nofollow nosnippet noarchive";
include /etc/nginx/conf.d/ssl.conf;
resolver 127.0.0.11 valid=30s;
set $kcws "http://keycloak:8080";
access_log /var/log/nginx/kc_access.log;
error_log /var/log/nginx/kc_error.log;
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Real-IP;
real_ip_recursive on;
error_page 301 400 401 402 403 404 500 502 503 504 =444 /444.html;
location = /444.html {
return 444;
}
location /realms/ {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-Forwarded-Port 9443;
proxy_pass $kcws$request_uri;
}
location /resources/ {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-Forwarded-Port 9443;
proxy_pass $kcws$request_uri;
}
location / {
allow 10.0.0.0/8;
deny all;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-Forwarded-Port 9443;
proxy_pass $kcws$request_uri;
}
}
Im wondering if this is a header or x-header issue
Ok, ultimately not an Nginx error specifically. A port issue. In my Docker config, I was translating the incoming port to 9443 for Nginx, but this wasn’t the actual port I was using to access Keycloak, which was say 19943. As best as I can describe, the connection was not surviving the translation process.
Changing my Docker Compose file to PORT:PORT and updating the Nginx to listen to the outside port (19943) solved the issue.
Seems like setting X-Forwarded-Port to 19943 also fixes the issue.