Struggles configuring nginx proxy

I have configured my newly-installed system such that I can use keycloak’s web interface from a local browser or via an ssh-tunnel. A Firewall on the system prevents port 8443 from being used externally, a condition I very much don’t want to change.

The plan is to configure nginx as a reverse proxy listening on port 443, enabling nginx to select the correct traffic destination based on the Host: header before re-encrypting traffic on the way to keycloak. There are several other sites that also connect to this server, and so in this case nginx is on the same host as keycloak.

I can connect locally on 8443 (both inet and localhost), and in dev mode on 8080, but nginx keeps getting ‘connection refused’ from the OS when nginx tries to connect an incoming :443 connection to 8443. The keycloak logs show nothing at all, and nginx logs show econnrefused for a connection that works when using telnet addr 8443.

Any thoughts on what’s happening? I can paste configs if that will help.

Dear rivimey

The default KC_HTTPS_PORT is 8443 in Keycloak server although the NGINX will reverse port from 443 to 8443 so the Keycloak server will redirect to default HTTPS port 8443. For me, I configure the parameter KC_HTTPS_PORT is 443 and set the NGINX to reverse from 443 to Keycloak server HTTPS port 443. It works for me.

Thanks for the reply… sadly I can’t simply put the keycloak server on 443 because other https sites are also using that port. I have (I think) configured nginx to reverse-proxy from 443 to 8443, the problem is that when nginx tries to connect on 8443 (as a result of a request on 443) it gets ‘connection refused’. I can, however, connect using telnet to 8443 (though obviously not do anything more).

Can you directly (bypass nginx) access to keycloak server at https 8443 by using the web browser?

I think I could, and I can use an ssh tunnel to do so, but the firewall on the server prevents all access to 8443 (in/out).