Keycloak v18 proxy doesn't work on EKS if you are using [ALB+NGINX]

Hello,
A similar problem is discribed here.

I have a Keycloak v16 which was installed via Bitnami/Keycloak Helm Chart v7.1.7 and it works pretty well.
Now I need to upgrade Keycloak v18 by using Bitnami/Keycloak Helm Chart v9.0.0 .

This is my system:
http/https >>>> ALB (SSL Offloading)>>> (http) Nginx Ingress >>> (http) Keycloak
my existing Keycloak v16 settings are:



extraEnvVars:

  • name: KEYCLOAK_EXTRA_ARGS
    value: “-Dkeycloak.frontendUrl=https://keycloak.mydomain.com/auth”


    proxyAddressForwarding: false

...and here my Keycloak v18 confiuration:

...
extraEnvVars:
- name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
  value: "true"
- name: KEYCLOAK_FRONTEND_URL
  value: "https://keycloak.mydomain.com/auth"
# - name: KEYCLOAK_EXTRA_ARGS
#   value: "-Dkeycloak.frontendUrl=https://keycloak.mydomain.com/auth"
...
...
proxy: passthrough
...
annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/configuration-snippet: |
      location /auth {
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_set_header    X-Forwarded-Port   $server_port;
        proxy_set_header    X-Forwarded-Proto  $scheme;
        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Host   $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header Host keycloak.mydomain.com;
      }
...

Actually I tried many combainations too many times like:

proxy: passthrough/edge/none/reencrytpt

  • name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
    value: “true/false”
    etc.

None of them work…
Could you please advise is it a bug or am I missing something?

Thanks & Regards

You are using old env variables wirh new Keycloak. Use KC_PROXY: edge Doc Using a reverse proxy - Keycloak

1 Like

Hello,
I changed vars as below:

- name: KC_HOSTNAME
  value: "https://keycloak.mydomain.com/auth"
- name: KC_HOSTNAME_STRICT
  value: "true"
- name: KEYCLOAK_LOG_LEVEL
  value: DEBUG
- name: JAVA_OPTS
  value: "-Djgroups.dns.query=keycloak-headless.keycloak"
...
proxy: edge
...
location /auth {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Host HTTPS;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass_request_headers on;
      }

…but nothing changed.

Keycloak is still looking for http://…

Is there working pattern which is used for LB level ssl termination?

Thanks & Regards

You have ALB → Nginx → Keycloak = Keycloak behind 2 proxies. Nginx must set X-Forwarded headers based on current X-Forwarded headers (or just hardcode them), not based on request. I guess ALB is doing SSL offloading so nginx receives http request and set it to X-Forwarded header as well. So Keycloak is only following what those proxies configure in X-Forwarded headers. It is your proxy issue, not a Keycloak issue.

Hello @jangaraj
Correct; ALB does SSL offloading, nginx receives http request.
In my scnario, should I set "proxy:edge" or "proxy:passthrough" ?

Thanks & Regards

What will set this config?

proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;

http protocol because ALB uses http to reach nginx, so Keycloak is requested ro respond with http protocol

Proxy config is a problem, not Keycloak config now!

So naive solution is to hardcode https

proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host https:

Others headers may have the same problem. Don’t blame if it is wrong syntax. This is Keycloak forum so don’t expect correct syntax for nginx conf

Sorry @jangaraj I wish it is not related with Keycloak but not sure.

I tried with both;

    nginx.org/server-snippets: |
      location /auth {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host https;
      }

…and

    nginx.org/server-snippets: |
      location /auth {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Host HTTPS;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass_request_headers on;
      }

also I tried the bıth configs above with proxy: edge and proxy: passthrough, nothing works. Keycloak doesn’t care proxy config; nothing changes. Keycloak looks for http:// endpoint persistently.

DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-0) Error response 404: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://keycloak.mydomain.com/auth/

Sorry, this is my last post here. It really looks like you are not friend with the doc, you have a many errors/testing random config values.

- name: KC_HOSTNAME
  value: "https://keycloak.mydomain.com/auth"

Is it areally a hostname? URL is not a hostname.

ok thanks @jangaraj for all your help and advises. I am writing as a reference for others:

I entered there URL because I read something like “KC_HOSTNAME” is the replacement of “KEYCLOAK_FRONTEND_URL” variable in somewhere.

Of course it’s not hard to test it. I tried it as “keycloak.mydomain.com” and also as “keycloak”; nothing changed.

Maybe that’s the same problem:

Thanks & Regards

I encountered the exact same issue while my infrastructure is:

Browser (https)=> ALB (http)=> Nginx (http)=> Keycloak

And I got the “Invalid parameter: redirect_uri” error from Keycloak while I was trying to access the admin console login page.

Thanks for @jangaraj’s hints, the problem should be related to the header x-forwarded-proto / x-forwarded-scheme are http when Keycloak received the request from Nginx, and the redirect_uri is https://… because the browser is using https to access Keycloak.

I think due to the protocol is different which caused Keycloak complaint it.

My solution is to change my infrastructure as below (which made the protocol aligned to use HTTPS):

Browser (https)=> ALB (https)=> Nginx (http)=> Keycloak

The related ALB ingress setting for above change as follow, hope can help other people who encountered the same issue.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  ...
  annotations:
    kubernetes.io/ingress.class: "alb"
    alb.ingress.kubernetes.io/backend-protocol: "HTTPS"
    ...
spec:
  rules:
  - host: "*.example.com"
    http:
      paths:
      - path: "/"
        pathType: "Prefix"
        backend:
          service:
            name: "ingress-nginx-controller"
            port:
              name: https