authUrl and authServerUrl in a reverse-proxy context

AuthUrl and AuthServerUrl in a reverse-proxy context.
I’m fighting with the auth panel in a keyCloak located behind a nginx reverse-proxy.
Everything is fine in the page since there are relative paths, except this:

<script src="http://<site>/auth/js/keycloak.js?version=5w76l" type="text/javascript"></script>

Of course, since nginx enforces HTTPS, the http protocol is refused.

And it seems to come from there, at the beginning of the page, where js variables authUrl and authServerUrl are declared:

<script type="text/javascript">
	var authServerUrl = 'http://<site>/auth';
	var authUrl = 'http://<site>/auth';
	var consoleBaseUrl = '/auth/admin/master/console/';
	var resourceUrl = '/auth/resources/5w76l/admin/keycloak';
	var masterRealm = 'master';
	var resourceVersion = '5w76l';
	</script>

There is no reference to these variables anywhere in the doc.

How is it possible to make these variables have the correct value (https://) or to have a relative path in this place?

Thank you,
Have a nice day and stay home,
db

2 Likes

Are you terminating the SSL/HTTPS session with your reverse proxy or do you want to handle keycloak the certificate? I use a set-up to terminate the session with a proxy and use http behind that one to reach the keycloak. In such case you just need to add the proxy-mode to the standalone Konfiguration.

Hello. Thank you four your answer.
nginx is the TLS endpoint for many sites behind it.
By adding the proxy-mode to the standalone configuration you want to tell adding the attribute proxy-address-forwarding=“true” to the http-listener element?
Like this:

<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="https" enable-http2="true"/>

I did it.
Nothing new,
The auth.js, in https:///auth/admin/master/console/, is always referenced by http and not through a relative path in the home page.

And you have no problem at all proxiing keycloak with nginx (TLS before and http behind)?
BTW, my keycloak version is the latest, the 9.0.3.
db

I have 3 keycloak setups all behind a reverse-proxy, two behind nginx one behind an apache working without any problems.

I can imagine that it has to work. Of course.
But I have to find where is the trick.
Here is the nginx part. Nothing extraordinary as you can see.

location / {

                proxy_pass              http://172.18.0.19:8010;
                proxy_http_version      1.1;
                proxy_set_header        Host      $host;
                proxy_set_header        X-Real-IP  $remote_addr;
               proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header        X-Script-Name /;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Remote-User $remote_user;

I added some stuff and I removed them.
For example, #proxy_redirect http:// https://;

I used it on another configuration, it was necessary but not in this case apparently.
I also played with a / at the en of the proxy_pass directive.

The standalone.xml is the one from the tar.gz except the proxy-address-forwarding=“true”.
Variables inside the standalone.xml are set from outside using -D flag.
Ah, and, as there is no variable in this part I had to change the address of the SMTP mailer at the end of the standalone.xml. That’s all.

<remote-destination host="<smtp mailer address>" port="25"/>

The startup script is as follows:

./standalone.sh \
-Djboss.http.port=8010 \
-Djboss.bind.address.management=0.0.0.0 \
-Djboss.bind.address=0.0.0.0 \
-Djboss.node.name=name \
-Djava.net.preferIPv4Stack=true \
-b 0.0.0.0

So, where is the trick?
Thank you,
db

Just as a reference for you, that is my current nginx config for the proxy_pass:

location / {
proxy_pass http://addr:port/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Cookie $http_cookie;
proxy_connect_timeout 600;
keepalive_timeout 10m;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffers 4 64k;
client_max_body_size 10m;
client_body_buffer_size 128k;
}

So far i am not directly able to see anything wrong.

OK so 2 things are needed.
First, in the standalone.xml, the proxy-address-forwarding attribute.

<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" enable-http2="true"/>

then, in nginx,

proxy_set_header X-Forwarded-Proto https;

And https MUST be lowercase.
I made a test yesterday with a HTTPS word (I read this somewhere) and it didn’t work. I then abandoned and requested an assistance.

Ok, it works now, there was definitively a trick.
Thank you again.

It was P3rf3ct :slight_smile:
Have a nice day,
db

No Problem, always welcome on that one.
Thank you enjoy your Keycloak right now :smiley: