Keycloak in docker behind reverse proxy

Hey there,

I recently installed Keycloak as Docker container using jboss/keycloak:latest.
I’m using for all my applications a nginx server as a reverse proxy to secure my connections via ssl.

Now I can access my Keycloak instance’s main page, but when I hit the “Administration Console” button I get an Mixed Content error in my browsers console and a blank page as the result.

What did I do wrong?

Thank you. But I already set PROXY_ADRESS_FORWARDING: "true" :sweat_smile:

Why you didn’t provide https://stackoverflow.com/help/minimal-reproducible-example :cry: ? Who knows what and how you did it.

Oh sorry… Thats a point…

This is my docker-compose.yml: https://hasteb.in/oqebecaw.yaml
This my nginx server configuration: https://hasteb.in/nuyihaji.nginx

My nginx reverse proxy is always running inside a docker container.

If you need something else please let me know :slight_smile:

https://www.keycloak.org/docs/latest/server_installation/#_setting-up-a-load-balancer-or-proxy

Highlighting:

Configuring your proxy to generate the X-Forwarded-For and X-Forwarded-Proto HTTP headers and preserving the original Host HTTP header is beyond the scope of this guide.

You don’t forward protocol to Keycloak.

After adding that to my config nothing has changed… :sweat_smile:

https://hasteb.in/gudusexo.nginx

Have you found a solution yet?

Some config properties that I have are

proxy_buffering off;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Host $http_host;

proxy_pass http://auth-servers;
proxy_redirect off;

Maybe these help, let us know what the solution was if you’ve found any.

I’ve also encountered the same issue when I deployed keycloak helm chart(helm-charts/tree/master/charts/keycloak) to K8S env. At the moment I’m looking for a solution.

We have nginx in front of keycloak. It may not be an issue related to Keycloak but it looks like we have to dig into keycloak documentation to find a solution.

Mixed Content: The page at ‘https:///auth/admin/master/console/’ was loaded over HTTPS, but requested an insecure script 'http:///auth/js/keycloak.js?version=qj41j’. This request has been blocked; the content must be served over HTTPS.
jquery.min.js:2 jQuery.Deferred exception: Keycloak is not defined ReferenceError: Keycloak is not defined
at HTMLDocument. (https://*****/auth/resources/qj41j/admin/keycloak/js/app.js:12:24)
at e (https://h****/auth/resources/qj41j/admin/keycloak/node_modules/jquery/dist/jquery.min.js:2:29453)

Hello i encounter exactly the same problem, i have a traefik ingress in front and this single resource is pushed using HTTP.
I think you should just move to relative resources instead of building a complete url in HTML files

Hello,
Same problem, same scenario - any luck?

Mixed Content: The page at ‘https://auth.domain.com/auth/admin/master/console/’ was loaded over HTTPS, but requested an insecure script ‘http://auth.domain.com/auth/js/keycloak.js?version=ih8hb’. This request has been blocked; the content must be served over HTTPS.`

I didn’t use Docker to setup my server, but I just encountered the same error, no matter what I did to my nginx configuration. At last, I noticed I overlooked a crucial part in the documentation.

Did you apply this part to your Keycloak configuration?

Alright so here is what worked for me,

  1. Set this environment variable in keycloak container apart from

PROXY_ADDRESS_FORWARDING=true

  1. NGINX server block

    proxy_set_header X-Forwarded-For $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection ‘upgrade’;
    proxy_set_header Host $host;

9 Likes

Hi @netoasis
I am facing the exact same issue.
Were you able to find any solution?

Having the same issue. When I look at the source, all resources links are relative (/auth/js/…), except for the one pointing to keycloak.js, which has a full url with http.

Fixed the issue for the admin console at least, by configuring Realm setting -> General -> frontend url, with the value:

https://my.keycloak.domain/auth

Might have to do this for other realms as well, havn’t testet yet.

Note that the admin console will stop working if you try to visit it from any other url.

3 Likes

Thank you. It worked for me after making suggested changes!

I got the same issue and here is my summary how to solve that.

As we already configured HTTP to HTTPS…Next we need to configure keycloak server to accept proxy forwarding…both docker or standalone.
so locate your standalone.xml file and find the line with server name="default-server"
the next line will be
http-listener name=“default” socket-binding=“http” redirect-socket=“https” enable-http2="true"
update it with
http-listener name=“default” socket-binding=“http” redirect-socket=“https” enable-http2=“true” proxy-address-forwarding="true"

restart the server and done !

1 Like

@Tobb: could you please elaborate a bit on your solution?
I’m facing the “HTTP” issue while configuring Keycloak 7.0.1 up to 10.0.2 (don’t really care about the exact version, just that it works!) on K8S and behind an OCI LoadBalancer (which sends the correct headers according to their documentation:), and obviously I’ve already got the mythical “PROXY_ADDRESS_FORWARDING=true” in my Env.
So I’m trying to follow your solution now, but can’t manage to find any “frontend url” filed in Realm setting -> General for my Master Realm.

1 Like

… and, by the way, Why On Earth is this line of code written like so:

<script src="http://keycloak.my.domain/auth/js/keycloak.js?version=iyxuz" type="text/javascript"></script>

while all other are well-formed, as anyone should write his HTML:

<script src="/auth/resources/iyxuz/admin/keycloak/js/app.js" type="text/javascript"></script>
  • No mention to Server URL
  • No mention to Connection Scheme

I’m really worried now, as this bug seems to affect all 10 releases between 8.0.0 and 10.0.2…

1 Like