I have set all configurations I have read about in documentation and forums, for running keycloak behind a load balancer. Main auth page displays correctly, while trying to access administration control returns Invalid parameter: redirect_uri error in administration console.
Redirect url query string parameter includes the correct https_url, but only if I change it to http does the error message dissapear, although other content does not display correctly since the load balancer is set for https.
This is running on docker, and I have set port only port 8081 to allow access to the administration console. Here is the tcpdump content run from the host (not fro within the docker container)
~# tcpdump -A port 8081
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
...
v.t.K+_.GET /auth/ HTTP/1.1
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Referer: https://accounts.mydomain.com:8081/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
X-FORWARDED-PROTO: https
X-Forwarded-For: xxx.xxx.xxx.xxx
Connection: close
Host: accounts.mydomain.com:8081
K+`.v.t.HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate, no-transform, no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
Date: Sat, 02 Nov 2019 17:01:51 GMT
Connection: close
X-Robots-Tag: none
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 4067
...
...
v..yK+.\GET /auth/admin/ HTTP/1.1
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Referer: https://accounts.mydomain.com:8081/auth/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
X-FORWARDED-PROTO: https
X-Forwarded-For: xxx.xxx.xxx.xxx
Connection: close
Host: accounts.mydomain.com:8081
K+.dv..yHTTP/1.1 302 Found
Connection: close
Location: http://accounts.mydomain.com:8081/auth/admin/master/console/
Content-Length: 0
Date: Sat, 02 Nov 2019 17:02:22 GMT
...
v...K+..GET /auth/admin/master/console/ HTTP/1.1
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
X-FORWARDED-PROTO: https
X-Forwarded-For: xxx.xxx.xxx.xxx
Connection: close
Host: accounts.mydomain.com:8081
...
K+..v...HTTP/1.1 200 OK
Cache-Control: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
Date: Sat, 02 Nov 2019 17:02:22 GMT
Connection: close
X-Robots-Tag: none
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 7316
Content-Language: en
<!DOCTYPE html>
<html>
<head>
...
...
v..qK+.TGET /auth/admin/master/console/config HTTP/1.1
Accept: application/json
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Referer: https://accounts.mydomain.com:8081/auth/admin/master/console/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
X-FORWARDED-PROTO: https
X-Forwarded-For: xxx.xxx.xxx.xxx
Connection: close
Host: accounts.mydomain.com:8081
...
K+.Xv..qHTTP/1.1 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 182
Date: Sat, 02 Nov 2019 17:02:22 GMT
{"realm":"master","auth-server-url":"http://accounts.mydomain.com:8081/auth","ssl-required":"external","resource":"security-admin-console","public-client":true,"confidential-port":0}
v..+K+..GET /auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Faccounts.mydomain.com%3A8081%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=bb24e75f-1927-4df2-9cb7-2535fef24233&response_mode=fragment&response_type=code&scope=openid&nonce=e24ee691-46f4-4253-90ce-a8efe3e75985 HTTP/1.1
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
X-FORWARDED-PROTO: https
X-Forwarded-For: xxx.xxx.xxx.xxx
Connection: close
Host: accounts.mydomain.com:8081
...
K+.'v..+HTTP/1.1 400 Bad Request
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
Date: Sat, 02 Nov 2019 17:02:23 GMT
Connection: close
X-Robots-Tag: none
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 1766
Content-Language: en
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" class="login-pf">
...
<div id="kc-error-message">
<p class="instruction">Invalid parameter: redirect_uri</p>
<p><a id="backToApplication" href="/auth/admin/master/console/index.html">.. Back to Application</a></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>