How to setup Keycloack behind a sub-domain over an https

Hello folks,

I am playing with Keycloak setup want to achieve the following things:

  • Setup a keycloak service

  • Use it behind HTTPS

  • Use a sub-domain to point to the server

I have set up the server on digital ocean using a docker image. But that’s with HTTPS turned off. At this point, it’s accessible using HTTP and the IP address.

At this point I would have wanted to get some certs and use that, it would have solved half of the problem-- having HTTPS, though that would still be behind an IP.

But then I couldn’t find a free CA which gives certificates for IP address. So, I got a domain to use.

At this point, I thought I would use Nginx as a reverse proxy, will point a sub-domain to Nginx, and reroute the requests to Keycloak. I found a sensible plan but a poor execution.

(I should warn you that I am self-taught and new to many things here. Precisely-- Docker, Digital Ocean, Keycloak and Nginx :stuck_out_tongue: )

  • I got Nginx to route to Keycloak endpoint i.e http:///ip (Nginx is running on default port) to

  • Glad about this minuscule success, I pointed sub-domain to Nginx. Now we have http:/// pointing to http:///ip:port/auth

  • I also got certificates for Nginx from Let’sEncrypt. Thanks to their easy to follow steps.

Now coming to the poor execution part:

At this point, I have a https:/// pointing https:///ip:port/auth which is all nice and intended.
But as soon as I click on admin I see the following flaws:

  • The hyperlink is pointing to http:///ip:port/auth/a/b/c instead of http:///sub.domain/auth/a/b/c. So we definitely have something wrong with the Nginx config.

    • What are the changes I need to make to fix this? Should I give the domain name to Keycloak to generate its link relative to that?
  • The hyperlink is also http://ip:port/auth/a/b/c instead of https which is kinda expected but not where I want to reach.

    • I can here think to re-setup Keycloak with HTTPS on. But that would require me to have certs. Should I get these different from the ones I got for sub-domain & Nginx? If yes, where can I get them from?
  • Best way to configure the components:

    • I am using Keycloak in docker but don’t know where to go and edit Standalone XML. So I end up passing configs to the docker command.

These are the parts I am stuck at and would appreciate it a lot if anyone can help me with these.

I know it’s a lot to read and process but if you kind-hearted point me in the right directions, I will go, read and apply those.

And as a thank you note, I will be willing to buy you a coffee and would write a blog post with the steps to do all these for others to use.

Thanks, for staying till here,

Got this figured out, will be writing a how-to for this. In hindsight, looks like not so complex and I have been missing some minor but important details.