Stuck at making an instance of Keycloak worth with multiple frontend URLs

I’m running Keycloak inside a Docker container, and I serve it behind an Nginx reverse proxy.

This is part of my docker-compose.yml file:

services: 
    accounts:
        image: quay.io/keycloak/keycloak:latest
        container_name: Accounts
        working_dir: /opt/keycloak
        ports: 
            - 8080:8080
        environment: 
            - KEYCLOAK_FRONTEND_URL=https://accounts.primary-domain.com/
            - PROXY_ADDRESS_FORWARDING=true
            - KC_HOSTNAME=accounts.primary-domain.com
            - KEYCLOAK_ADMIN=admin_user
            - KEYCLOAK_ADMIN_PASSWORD=admin_pass
            - KC_DB_URL_HOST=database
            - KC_DB_URL_DATABASE=accounts
            - KC_DB_URL_PORT=3306
            - KC_DB_USERNAME=db_user
            - KC_DB_PASSWORD=db_pass
            - KC_PROXY=edge
            - KC_HTTP_ENABLED=true
            - KC_HOSTNAME_STRICT=false
        logging:
            driver: none

Then I go into the admin console, define a new realm, and set accounts.second-domain.com as its frontend URL in the realm settings tab.

But when I try use accounts.second-domain.com as my login URL for my client app, I see this error:

fused to frame ‘https://accounts.second-domain.com/’ because it violates the following Content Security Policy directive: “frame-src ‘self’”.

I searched and saw this on StackOverflow and changed the Content-Security-Policy from the realm settings into:

frame-src 'self'; frame-ancestors 'self' https://accounts.second-domain.com; object-src 'none';

Still no success.

What should I do?

Accordingly to docs you could to just not defining any host name settings and rely on reverse proxy to do so.

bin/kc.[sh|bat] start --proxy <mode> --hostname-strict=false

Thanks for answering. But I can not understand you. I read your answer many times, yet I still don’t get it.