Nginx reverse proxy using locations

My setup is a little bit different. I am trying to use locations in nginx so I can only use one domain for both an app and keycloack but seems not working. Here is more information:

  • a server with nginx and forward to different machines.

  • a machine runs a webapp and keycloack using docker-compose.

  • a domain for the webapp

  • I can access both keycloack interface and the webapp interface using:

                 - "https://webapp.com"
                 - "https://webapp.com/kc"
    
  • The problem is: login to keycloack “Administration Console” does not work.

    • The page changes to “https://webapp.com/admin” and I get this in the browser:

         502 Bad Gateway
         nginx/1.18.0
      
    • This is what nginx error log reports:

        [error] 222430#222430: *6 connect() failed (111: Connection refused) while connecting to upstream, client: **server_public_ip**  server: webapp.com, request: "GET /admin/ HTTP/1.1", upstream: "http://wepapp_machine:wepapp_port/admin/", host: "wepapp.com"
      

my nginx looks like this

  server {
             server_name webapp.com;

             proxy_set_header   X-Real-IP $remote_addr;
             proxy_set_header   X-Scheme $scheme;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header   X-Forwarded-Proto $scheme;
             proxy_set_header   X-Forwarded-Port $server_port;
             proxy_set_header   Host $http_host;

             location / {
                 proxy_pass http://webapp_machine:webapp_port/;        
                proxy_buffer_size 128k;
                proxy_buffers 4 256k;
                proxy_busy_buffers_size 256k;
                proxy_read_timeout 3000;
                client_max_body_size 200M;
             }

            location /kc/ {
                proxy_pass http://webapp_machine:keycloak_port/;
             }        

           listen 443 ssl; 
           ssl_certificate /path/crt.pem; 
           ssl_certificate_key /path/key.pem; 
          include /path/ssl-nginx.conf;
          ssl_dhparam /path/ssl-dhparams.pem; 
  }

  server {
             if ($host = webapp.com) {
                  return 301 https://$host$request_uri;
             }
             server_name webapp.com;
             listen 80;
             return 404;
  }

And this the docker-compose :

        version: '3'
        services:

        postgres:
            image: postgres:12.7
            container_name: wenapp.postgres
            restart: always
            expose:
            - POSTGRES_PORT
            ports:
            - POSTGRES_PORT:5432
            environment:
            POSTGRES_USER: POSTGRES_USER
            POSTGRES_PASSWORD: POSTGRES_PASSWORD
            POSTGRES_DB: AUTH_DB
            volumes:
            - ./postgres_data:/var/lib/postgresql/data
            networks:
            - webapp_net

        auth:
            image: quay.io/keycloak/keycloak:19.0.2
            restart: always
            container_name: wenapp.auth
            ports:
            - keycloak_port:8080
            entrypoint: /opt/keycloak/bin/kc.sh start-dev
            environment:
            KC_DB: postgres
            KC_DB_URL_DATABASE: AUTH_DB
            KC_DB_URL_HOST: wenapp.postgres
            KC_DB_USERNAME: POSTGRES_USER
            KC_DB_PASSWORD: POSTGRES_PASSWORD
            KEYCLOAK_ADMIN:  KEYCLOAK_ADMIN_USER
            KEYCLOAK_ADMIN_PASSWORD: KEYCLOAK_ADMIN_PASSWORD
            PROXY_ADDRESS_FORWARDING: "true"
            KC_HOSTNAME_STRICT: "false"
            KC_HTTP_ENABLED: "true"
            KC_PROXY: "edge"
            GRANT_TYPE: password
            depends_on:
            - postgres
            networks:
            - webapp_net

        mainwebapp:
            image: webapp_image
            container_name: wenapp.app
            restart: always
            ports:
            - webapp_port:8080
            networks:
            - webapp_net

        networks:
        webapp_net:
            external:
            name: webapp_net

I appreciate your suggestions :slight_smile:

This nginx configueration seems to work and I can login to keyclpack:

In the above configuration I replaced

            location /kc/ {
               proxy_pass http://webapp_machine:keycloak_port/;
           }

With:

            location /kc/ {
                    proxy_pass http://webapp_machine:keycloack_port/;

                    proxy_buffer_size 128k;
                    proxy_buffers 4 256k;
                    proxy_busy_buffers_size 256k;
                    proxy_read_timeout 3000;
                    client_max_body_size 200M;
                }
                location /admin/ {
                    proxy_pass http://webapp_machine:keycloack_port/admin/;
                }
                location /resources/ {
                    proxy_pass http://webapp_machine:keycloack_port/resources/;

                }
                location /js/ {
                    proxy_pass http://webapp_machine:keycloack_port/js/;

                }
                location /realms/ {
                    proxy_pass http://webapp_machine:keycloack_port/realms/;
                }