Reverse proxy WITHOUT Docker

Almost all of the documentation for Keycloak assumes that the system is running in a Docker container. With Docker, there are the PROXY_ADDRESS_FORWARDING and KEYCLOAK_FRONTEND_URL ENV variables which make putting Keycloak behind a SSL reverse proxy a breeze.

However, in development (or for those not wishing to use Docker), there is scant documentation regarding how to do the same thing without Docker. I’ve seen several threads on this matter, but none seem to be conclusive. Are there cli arguments that can be passed to What is the “official” way to configure Keycloak to run behind a reverse proxy when not using Docker? Is there a page in the documentation that I’ve missed?


I fixed my own problem. The trick is to edit the following file:

Look for the following lines:

<server name="default-server">
  <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
  <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

Add the value proxy-address-forwarding="true" after that second line like so:

<server name="default-server">
  <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
  <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

Then, this is a working nginx config that should work (WARNING: I’m using self-signed certs for development - don’t use snakeoil.conf in production!!!):

server {
  ssl on;
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server;
  include snippets/snakeoil.conf;

  proxy_set_header X-Forwarded-For $proxy_protocol_addr;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Host $host;

  location / {

The end. Any questions, and I’ll do my best to help!

Yes, it’s all in the docs:

Enable HTTPS/SSL with a Reverse Proxy
Identifying Client IP Addresses

The documentation should be searchable