We are setting up keycloak behind the kong ingress controller with https. The https communication got enabled with self signed certificate. We are able access keycloak with https enabled. The welcome page is getting loaded without any issues. But the problem is the sub sequent call becomes http intead of https.
http://172.21.25.10:30007/auth/admin/…
Instead of https://172.21.25.10:30007/auth/admin/…
I have set up frontend url in master realm settings
We need the admin console with https access. How to make sub sequent call with https in keycloak
Did you try to access it with https BUT without the port 30007?
So essentially it would be https://172.21.25.10/auth/admin/…
Also, you might need to adapt the KC_HOSTNAME_STRICT_HTTPS or KC_HTTP_ENABLED environment variables for keycloak.
I hope I was able to pinpoint you into the right direction to get it fixed 
@svencarstenrasmusen Thanks for the help.
This is welcome page is getting loaded as below.
when I click on “Administration Console” it pointing to http
When I click on link I am getting 400 Bad request, The plain HTTP request was sent to HTTPS port
Can you confirm what value we need to set KC_HOSTNAME_STRICT_HTTPS or KC_HTTP_ENABLED.
Below is the values.yaml of keycloak we are trying to set it.
- name: KEYCLOAK_HTTP_RELATIVE_PATH
value: /auth/
- name: KAFKA_URL
value: kafka:9092
- name: KEYCLOAK_FRONTEND_URL
value: https://hostname:30007/auth
- name: KC_PROXY_ADDRESS_FORWARDING
value: “true”
- name: KC_PROXY_HEADERS
value: xforwarded
- name: KC_HOSTNAME_STRICT_HTTPS
value: “false”
- name: KC_HTTP_ENABLED
value: “true”
- name: KC_LOG_LEVEL
value: DEBUG
Still we are getting the same issue
@dasniko can you help on this issue.
Are you sure that your KC_PROXY_HEADERS value is correct - this caused me the same issue that you are reporting.
Keycloak does not know whether the is behind proxy or not. TLS communication will get terminated in the kong ingress and we need to forward the X-forwared-Proto as https to keycloak, based on which keycloak will understand is behind proxy and form all the sub sequent request with https instead of http. Please correct if my understanding is wrong.
I am not sure KC_PROXY_HEADER will have forwarded or xforwarded as per the document.
- If the proxy/gateway is communicating with Keycloak over HTTP, just add:
KC_PROXY_HEADERS: xforwarded
KC_PROXY: edge
KC_HTTP_ENABLED: 'true'
- Here is the example in nginx:
location / {
proxy_pass http://idp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Lastly please use a DNS name, just seeing the IPs hurts my feelings 
For more info see [1].
[1] Using a reverse proxy - Keycloak
Thanks for replying back,
We are still facing the issue. Please find the details below.
keycloak-ingress file:[kong version: 2.4.0]
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-ingress
labels:
app.kubernetes.io/instance: kong
app.kubernetes.io/managed-by: Helm
annotations:
konghq.com/strip-path: "false"
kubernetes.io/ingress.class: "kong"
konghq.com/protocols: "https"
spec:
ingressClassName: kong
rules:
#- host: freshxcom.mt.mtnet
- http:
paths:
- path: /auth
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 80
keycloak bitnami helm chart: 18.0.2 keycloak values file: keycloak-values.yaml
httpRelativePath: "/auth/"
extraEnvVars: |
- name: KAFKA_URL
value: kafka:9092
- name: KEYCLOAK_FRONTEND_URL
value: "https://freshxcom.mt.mtnet:30007/auth"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KC_LOG_LEVEL
value: DEBUG
