Keycloak v24 to v26 migration problems

I am trying to migrate my docker script for KC for newer version and keep getting problems.

I saw there are somechanges, regarding “PROXY” config because I am runnung nginx reverse proxy, but still havent been able to make it work… Any tips what all i need to change?

I am also getting:
Key material not provided to setup HTTPS. Please configure your keys/certificates or start the server in development mode
and Because I run reverse proxy before, how to best approach this?

This is my script:

docker run -p 8282:8080 \
--name kcdev \
-e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
-e KC_BOOTSTRAP_ADMIN_PASSWORD=pass \
-e KC_PROXY_HEADERS=xforwarded \
-e KC_HOSTNAME=dev.example.io \
-e KC_DB=mysql \
-e KC_DB_URL="jdbc:mysql://ip:3306/db" \
-e KC_DB_USERNAME=dbuser \
-e KC_DB_PASSWORD=pass!!! \
-d quay.io/keycloak/keycloak:26.0.2 start \
--hostname=dev.example.io

try adding:

... --http-enabled=true --http-port=8080 --http-host=0.0.0.0 

Thanks for the response!

I’ve tried like:

docker run -p 8282:8080 \
--name kcdev \
-e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
-e KC_BOOTSTRAP_ADMIN_PASSWORD=passhere \
-e KC_PROXY_HEADERS=xforwarded \
-e KC_HOSTNAME=dev.example.io \
-e KC_DB=mysql \
-e KC_DB_URL="jdbc:mysql://ip:3306/db" \
-e KC_DB_USERNAME=dbuser \
-e KC_DB_PASSWORD=pass!!! \
-d quay.io/keycloak/keycloak:26.0.2 start \
--hostname=dev.example.io
--http-enabled=true \
--http-port=8080 \
--http-host=0.0.0.0

and still got the same error. Even with

-e KC_HTTPS_CERT_FILE=/etc/nginx/ssl/cert.pem \
-e KC_HTTPS_KEY_FILE=/etc/nginx/ssl/certkey.pem \

same error.

Check the reverse-proxy and edge-TLS section here: Configuring the hostname (v2) - Keycloak

You probably want the hostname specified as full URL (https://… ) adn make sure that your reverse proxy does set all needed X- Forwarded-… headers correctly.

Running production Keycloak behind a reverse proxy requires 4 main env parameters to be provided.
KC_PROXY_HEADERS=xforwarded
PROXY_ADDRESS_FORWARDING=true
KC_HTTP_ENABLED=true
KC_HOSTNAME=myapp.com

Using these should make it work. These are currently working on my Keycloak deployment of version 26.0.5.

Make sure you dont miss out providing KC_HOSTNAME env variable (I know I did and spent some time banging my head around )

Making this claim as a general statement is not correct. Perhaps these are the proper values for YOUR environment, but not generally. As mostly, it depends!

• KC_PROXY_HEADERS might be forwarded or xforwarded, depending on what the reverse-proxy sends. Nginx can be configured to send either the one or the other.
• PROXY_ADDRESS_FORWARDING is NOT a valid Keycloak environment variable. No, not even because many medium blog post mentioning this. This is wrong.
• KC_HTTP_ENABLED what if the reverse-proxy should only talk via HTTPS to Keycloak? Then this is wrong.
• KC_HOSTNAME is not necessary for Keycloak working properly behind a reverse-proxy. This also depends on other conigurations if this is required or not.

So, unfortunately using YOUR config as a general config is probably not the best solution. Sorry to say that.

Ok thank you all for inputs.

So which ENVs are required to have for NGINX Xforwarded setup with HTTPS keycloak? *I guess I will require .jks with SSL…

Read the proper guides and use the options which fit your environment/requirements/usecase:

• Using a reverse proxy - Keycloak
• Configuring TLS - Keycloak

No worries, thank you for pointing it out.
Will try to be as clear as possible.