The option KC_HOSTNAME_ADMIN does not work

Hi folks,
after upgrading to version 17, I have a problem with configuration. I want to set up access to the admin console only from a private interface (I had the same configuration in keycloak 16.x).
My setup:

  • Keycloak 17 in docker
  • Nginx as a reverse proxy (two domains)
  • Postgresql as backend

My server has got two network interfaces (public and private), two domains and Both with SSL via Nginx.

In version 16.x, I had this configuration and all works well.


In version 17.x, I have this configuration:

   KC_HTTP_ENABLED: "true"   
   KC_PROXY: edge
command: start --auto-build --http-relative-path /auth

Everything works well, except KC_HOSTNAME_ADMIN. When I add this option, the admin console does not work.

The page shows blank content and every few seconds it reloads itself. In the browser web console, I can not see any problems (all have 200). Only one request ask for a public interface


I have a same problem.
Works with admin2 feature enable. (UPDATE NOT WORKING)

Completely not working with KEYCLOAK_ADMIN_URL

Can we get some help here, please. I think it is literally impossible to configure quarkus keycloak the way it was possible in normal distribution.

I’d like to have following configuration:

  • access admin console through internal IP AND port AND some extra path like /auth e.g. (please note that keycloak itself might be running on different port - it’s only 5000 that is exposed by docker)
  • have possibility for internal apps to login through internal IP, just like you could login to admin console
  • have possibility for public apps to login through public IP (with optional extra path) i.e. reverse proxy in edge mode.

I tried every single combination of parameters (–hostname, --hostname-admin, --hostname-path …, …) but it just doesn’t work:

  • sometimes keycloak redirects to “localhost” without port, even though it is running on non 80/443 port
  • sometimes step1.html can’t check sso status because it is blocked by some Content Security Policy
  • some links/config generated still respects “frontendUrl” realm attribute (in a wrong way, because it doesn’t respect port part), even though it is not mentioned anywhere in new quarkus documentation

Before, all of this was easily possible with just setting correct KEYCLOAK_FRONTEND_URL and/or specific frontendUrl per realm.

Same scenario and same error. Someone to help?

For anyone having same/similar issues, I managed to solve my problem by using following arguments:


So, ignore --hostname, --hostname-admin, --hostname-path altogether. Then with existing configuration of frontendUrl per realm (from previous versions) it works how I want it to work - I can access some realms with internal IP, and some with external domain (described above).

My proxy is mapping to /auth in keycloak.

Next time I’m probably not reading new documentation because it brought me a lot of confusion.


I have the same issue:

insert into realm_attribute (name, realm_id, value)
VALUES ('frontendUrl', 'master', KEYCLOAK_ADMIN_URL)

and then restart. This will fix it, but this seems like a bug.

i too have the same problem the --hostname-admin does not work, only --hostname is getting honored…

Hi! I have the same problem with --hostname-admin on Keycloak 19.0.1 (Quarkus), but the same config works fine on 18.0.2 (Quarkus)
I use different domain names for admin console (– and keycloak server frontend url (–
Version 19.0.1 ignores --hostname-admin for some url, for exampale admin2 console try to connect to whoami and serverinfo on --hostname=auth instead --hostname-admin=keycloak
Admin Console doesnt’d load, there are cors errors in chrome console - network for whoami and serverinfo urls

1 Like

I was hitting the same problem but got it working like this:

Everything else its not working and setting additional /admin in the URL. With the following config you open the login page for the master realm with both or just as it should.