Keycloak 17 - Run in docker behind NginX Reverse Proxy

1

Hi,

I read a lot of articles but cannot get Keycloak 17 running without https - my reverse proxy cares about HTTPS and I want to communicate with keycloak then via HTTP.

My Docker build and custom Keycloak image looks like this:

FROM quay.io/keycloak/keycloak:17.0.0 as builder
ENV KC_METRICS_ENABLED=true
ENV KC_DB=postgres
ENV KC_HTTP_RELATIVE_PATH=/auth
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:17.0.0
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
WORKDIR /opt/keycloak
ENV KEYCLOAK_ADMIN=kcadmin
ENV KEYCLOAK_ADMIN_PASSWORD=securepw
ENV KC_DB_URL=<DBURL>
ENV KC_DB_USERNAME=<DBUSERNAME>
ENV KC_DB_PASSWORD=<DBPASSWORD>
ENV KC_LOG_LEVEL: INFO
ENV KC_PROXY: edge
ENV KC_HTTP_ENABLED: true

COPY ./theme/snc-lara/ /opt/keycloak/themes/snc-lara/

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

Then I build and start the container with docker compose: (overwriting some parameters)

  keycloak:
    image: my-repo.at/lara-keycloak:latest
    environment:
      KC_DB_PASSWORD: 'securepw'
      KC_DB_SCHEMA: public
      KC_DB_URL_DATABASE: keycloak
      KC_DB_URL: jdbc:postgresql://db-url.at:5533/keycloak
      KC_DB_USERNAME: lara
      KEYCLOAK_ADMIN: kcadmin
      KEYCLOAK_ADMIN_PASSWORD: 'securepw'
      KC_HOSTNAME: docker-snc02.dev0.mycompany.at
      KC_HOSTNAME_STRICT: false
    ports:
    - 8686:8080/tcp

When I start the container it always outputs following error:

25.2.2022 01:06:392022-02-25 00:06:39,183 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
25.2.2022 01:06:392022-02-25 00:06:39,183 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Key material not provided to setup HTTPS. Please configure your keys/certificates or start the server in development mode.
25.2.2022 01:06:392022-02-25 00:06:39,183 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

What am I doing wrong? It seems to have worked for others that way:

Isn`t it possible run keycloak in HTTP mode only?

One solution might be to run Keycloak 17 in start-dev mode - but I wanted to avoid that …

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start-dev"]
1 Like
2

Sorry - I found the issue had used “:” instead of “=” in the Dockerfile → here my cleaned up Dockerfile if anybody is interested:

FROM quay.io/keycloak/keycloak:17.0.0 as builder
ENV KC_METRICS_ENABLED=true
ENV KC_DB=postgres
ENV KC_HTTP_RELATIVE_PATH=/auth
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:17.0.0
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
WORKDIR /opt/keycloak
ENV KC_LOG_LEVEL=INFO
ENV KC_PROXY=edge
ENV KC_HTTP_ENABLED=true
ENV KC_HOSTNAME_STRICT=false

COPY ./theme/snc-lara/ /opt/keycloak/themes/snc-lara/

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

And then:

keycloak:
    image: 'my-repo.at/lara-keycloak:latest'
    environment:
      KC_DB_URL: 'jdbc:postgresql://db-url.at:5533/keycloak'
      KC_DB_SCHEMA: public
      KC_DB_USERNAME: lara
      KC_DB_PASSWORD: 'securepw'
      KEYCLOAK_ADMIN: kcadmin
      KEYCLOAK_ADMIN_PASSWORD: 'securepw'
      KC_HOSTNAME: 'ext-hostname.at'
    ports:
      - '8686:8080/tcp'
1 Like
3

Run keycloak with following parameters:

        '--auto-build',
        '--http-port=8389',
        '--http-enabled=true',
        '--http-relative-path=/auth',
        '--hostname-strict-https=false',
        '--hostname-strict=false',
        '--proxy=edge'

or remove --auto-build and set all envs in Dockerfile (and adjust port / http-relative-path). This should let you access keycloak via proxy and optionally via IP for other realms (appropriate frontendUrl for each realm should be set)

4

Hello, which http-port are you using here in e.g 8389?