Help Needed: Configuring Keycloak 25.0.2 with Nginx 1.24

havo · July 25, 2024, 4:13am

Hi everyone,

I’m currently setting up Keycloak 25.0.2 and I need help configuring it with Nginx 1.24. Here are the details of my setup:

Keycloak version: 25.0.2
Nginx version: 1.24
Server OS: Ubuntu 24.04
Keycloak Docker image: Quay
Nginx configuration:

I want to configure Nginx as a reverse proxy for Keycloak, ensuring secure access via HTTPS. Below is my current Nginx configuration file:
server {
server_name sso.tld.com;

location / {
    proxy_pass http://127.0.0.1:8711;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sso.tld.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sso.tld.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = sso.tld.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
server_name sso.tld.com;
return 404; # managed by Certbot

}

and KC docker conf:

version: “3.7”

services:
keycloak:
image: Quay
entrypoint: /opt/keycloak/bin/kc.sh start
container_name: keycloak
restart: unless-stopped
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=password
- KEYCLOAK_FRONTEND_URL=https://{{ URL }}/auth
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME_STRICT_HTTPS=false
- KC_HTTP_ENABLED=true
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://keycloak-postgres:5432/keycloak
- KC_DB_USERNAME=keycloak
- KC_DB_PASSWORD=password
- proxy=edge
ports:
- 127.0.0.1:8711:8080
depends_on:
keycloak-postgres:
condition: service_healthy
networks:
- keycloak-network
keycloak-postgres:
container_name: keycloak_postgres
image: postgres:latest
restart: unless-stopped
environment:
- POSTGRES_DB=keycloak
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=password
- POSTGRES_PORT=5432
healthcheck:
test: [“CMD-SHELL”, “sh -c ‘pg_isready -U keycloak -d keycloak’”] # User, Database
interval: 5s
timeout: 30s
retries: 3
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- keycloak-network

networks:
keycloak-network:
name: keycloak-network
driver: bridge

volumes:
postgres_data:

and the login page like this

thanks in advance

uvznab · July 28, 2024, 12:32pm

I’m guessing you’ve merged settings and configurations from a wide variety of Keycloak versions from all over the internet (backdating to KC 18, I’m guessing). I can’t stress enough: RTFM of the latest build.

Your docker-compose.yaml is missing the environment variable:
- KC_HOSTNAME: https://sso.tld.com

You may want to consider adding this variable (although, in the case of your config, I think it’s not necessary):
- KC_PROXY_HEADERS=xforwarded

I’d also consider removing these variables:

- proxy
- KEYCLOAK_FRONTEND_URL

If it still doesn’t work, check the console logs (set KC_LOG_LEVEL: INFO) as it can be very useful.

havo · August 10, 2024, 12:32pm

use below update conf still 502 Bad Gateway

nginx/1.26.1

version: “3.7”

services:
keycloak:
image: Quay
container_name: keycloak
restart: unless-stopped
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=password
- KC_HOSTNAME=https://sso.tld
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME_STRICT_HTTPS=false
- KC_HTTP_ENABLED=true
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://keycloak-postgres:5432/keycloak
- KC_DB_USERNAME=keycloak
- KC_DB_PASSWORD=password
- KC_LOG_LEVEL=INFO
entrypoint: [“sh”, “-c”, “/opt/keycloak/bin/kc.sh start --proxy=edge”]
ports:
- 127.0.0.1:8711:8080
depends_on:
keycloak-postgres:
condition: service_healthy
networks:
- keycloak-network

keycloak-postgres:
container_name: keycloak_postgres
image: postgres:latest
restart: unless-stopped
environment:
- POSTGRES_DB=keycloak
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=password
- POSTGRES_PORT=5432
healthcheck:
test: [“CMD-SHELL”, “pg_isready -U keycloak -d keycloak”]
interval: 5s
timeout: 30s
retries: 3
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- keycloak-network

networks:
keycloak-network:
name: keycloak-network
driver: bridge

volumes:
postgres_data:

Topic		Replies	Views
Proxy Keycloak with Nginx and certificates Configuring the server	0	594	March 2, 2023
Keycloak with Cloudflare Tunnel not working Configuring the server	0	1055	January 25, 2023
Enabling SSL to secure the HTTP traffic of the Keycloak Server with existing certificate (avoid self-signed certificate) Getting advice	15	9666	May 17, 2021
Keycloak docker behind nginx not work Configuring the server	0	706	December 27, 2020
How to correctly configure keycloak 21.0.1 (latest) in production mode use Google Cloud and the docker run command? Configuring the server	0	296	March 29, 2023

Help Needed: Configuring Keycloak 25.0.2 with Nginx 1.24

use below update conf still 502 Bad Gateway

Related topics