authUrl and authServerUrl in a reverse-proxy context

dblas · April 15, 2020, 6:49am

AuthUrl and AuthServerUrl in a reverse-proxy context.
I’m fighting with the auth panel in a keyCloak located behind a nginx reverse-proxy.
Everything is fine in the page since there are relative paths, except this:

<script src="http://<site>/auth/js/keycloak.js?version=5w76l" type="text/javascript"></script>

Of course, since nginx enforces HTTPS, the http protocol is refused.

And it seems to come from there, at the beginning of the page, where js variables authUrl and authServerUrl are declared:

<script type="text/javascript">
	var authServerUrl = 'http://<site>/auth';
	var authUrl = 'http://<site>/auth';
	var consoleBaseUrl = '/auth/admin/master/console/';
	var resourceUrl = '/auth/resources/5w76l/admin/keycloak';
	var masterRealm = 'master';
	var resourceVersion = '5w76l';
	</script>

There is no reference to these variables anywhere in the doc.

How is it possible to make these variables have the correct value (https://) or to have a relative path in this place?

Thank you,
Have a nice day and stay home,
db

P3RF3CTION · April 16, 2020, 6:53am

Are you terminating the SSL/HTTPS session with your reverse proxy or do you want to handle keycloak the certificate? I use a set-up to terminate the session with a proxy and use http behind that one to reach the keycloak. In such case you just need to add the proxy-mode to the standalone Konfiguration.

dblas · April 16, 2020, 7:22am

Hello. Thank you four your answer.
nginx is the TLS endpoint for many sites behind it.
By adding the proxy-mode to the standalone configuration you want to tell adding the attribute proxy-address-forwarding=“true” to the http-listener element?
Like this:

<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="https" enable-http2="true"/>

I did it.
Nothing new,
The auth.js, in https:///auth/admin/master/console/, is always referenced by http and not through a relative path in the home page.

And you have no problem at all proxiing keycloak with nginx (TLS before and http behind)?
BTW, my keycloak version is the latest, the 9.0.3.
db

P3RF3CTION · April 16, 2020, 7:33am

I have 3 keycloak setups all behind a reverse-proxy, two behind nginx one behind an apache working without any problems.

dblas · April 16, 2020, 7:57am

I can imagine that it has to work. Of course.
But I have to find where is the trick.
Here is the nginx part. Nothing extraordinary as you can see.

location / {

                proxy_pass              http://172.18.0.19:8010;
                proxy_http_version      1.1;
                proxy_set_header        Host      $host;
                proxy_set_header        X-Real-IP  $remote_addr;
               proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header        X-Script-Name /;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Remote-User $remote_user;

I added some stuff and I removed them.
For example, #proxy_redirect http:// https://;

I used it on another configuration, it was necessary but not in this case apparently.
I also played with a / at the en of the proxy_pass directive.

The standalone.xml is the one from the tar.gz except the proxy-address-forwarding=“true”.
Variables inside the standalone.xml are set from outside using -D flag.
Ah, and, as there is no variable in this part I had to change the address of the SMTP mailer at the end of the standalone.xml. That’s all.

<remote-destination host="<smtp mailer address>" port="25"/>

The startup script is as follows:

./standalone.sh \
-Djboss.http.port=8010 \
-Djboss.bind.address.management=0.0.0.0 \
-Djboss.bind.address=0.0.0.0 \
-Djboss.node.name=name \
-Djava.net.preferIPv4Stack=true \
-b 0.0.0.0

So, where is the trick?
Thank you,
db

P3RF3CTION · April 16, 2020, 9:18am

Just as a reference for you, that is my current nginx config for the proxy_pass:

location / {
proxy_pass http://addr:port/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Cookie $http_cookie;
proxy_connect_timeout 600;
keepalive_timeout 10m;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffers 4 64k;
client_max_body_size 10m;
client_body_buffer_size 128k;
}

So far i am not directly able to see anything wrong.

dblas · April 16, 2020, 9:54am

OK so 2 things are needed.
First, in the standalone.xml, the proxy-address-forwarding attribute.

<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" enable-http2="true"/>

then, in nginx,

proxy_set_header X-Forwarded-Proto https;

And https MUST be lowercase.
I made a test yesterday with a HTTPS word (I read this somewhere) and it didn’t work. I then abandoned and requested an assistance.

Ok, it works now, there was definitively a trick.
Thank you again.

It was P3rf3ct
Have a nice day,
db

P3RF3CTION · April 16, 2020, 10:07am

No Problem, always welcome on that one.
Thank you enjoy your Keycloak right now

lijishan · July 8, 2022, 8:08am

Thank you! I’ve been stuck for two whole days before getting it work.

Topic		Replies	Views
${authBaseUrl} identical to ${authAdminUrl}? Configuring the server	0	560	February 19, 2024
Keycloak white admin console and 401 responses Configuring the server	4	4632	March 24, 2022
KEYCLOAK_FRONTEND_URL and "web-context" Configuring the server	0	4427	November 19, 2019
Change Client authBaseURL Path Configuring the server admin-console , authentication	1	7445	October 15, 2020
${authurl} insists on pointing to http instead of https	0	277	February 28, 2022

authUrl and authServerUrl in a reverse-proxy context

Related Topics