I have keycloak 18.0.1 installed (quarkus native), and I’ve configured it to run with separate hostname and hostname-admin domains (auth . externaldomain . com for hostname and kc . internaldomain . com for the admin panel). I have an nginx reverse proxy exposing /realms/, /resources/, /js/, and /robots.txt at auth . externaldomain . com. This all works fine, but once I upgrade to 19.0.2, the admin panel page no longer loads, as now it needs to make requests to auth . externaldomain . com/admin/* that are being blocked by the reverse proxy. When I proxy_pass /admin/ in nginx, however, the admin panel loads properly at kc . internaldomain . com/admin/master/console/#/.
Based on what I’ve seen in the latest github issues and discussions, hostname-admin is inherently breakage-prone, and the recommendation is to simply not use the admin console and use the cli instead if you want to block external access. I prefer to use the admin console, however; what sort of risk is there in proxy_passing /admin/? Or temporarily proxy_passing it whenever I need to view or update the configurations?