Hello everyone,
I’m trying to setup a Keycloak instance to handle the users of my webapp. This instance would be, like all other microservices, hidden behind my reverse proxy (Kong, it’s a nginx-based proxy).
On my local setup, Kong listens to localhost:443
, and keycloak listens to localhost:8082/auth
. To achieve that, I used several environment variables on my Keycloak container :
ENV KC_HOSTNAME=localhost
ENV KC_HOSTNAME_PORT=8082
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_PROXY=edge
ENV PROXY_ADDRESS_FORWARDING=true
ENV KC_HTTP_ENABLED=true
ENV KC_HTTP_PORT=8082
KC_HTTP_RELATIVE_PATH=/auth
The setup of Kong configuration looks fine, and the keycloak endpoints that I need are exposed correctly through Kong (/realms
, /js
, /resources
, /robots.txt
, like the doc said). Kong handles the TLS connection, and then speaks to all microservices with HTTP
only, thus KC_PROXY=edge
. /admin
is not exposed, I thought I could access this locally using localhost:8082
on the right machine.
I checked, Kong is accurately sending additionnal headers :
'x-forwarded-for'
'x-forwarded-proto'
'x-forwarded-host'
'x-forwarded-port'
'x-forwarded-path'
'x-forwarded-prefix'
It also leaves the Host
untouched.
If I go to https://localhost/auth/realms/master/.well-known/openid-configuration
, I get the configuration. However, Keycloak does not know it’s behind Kong, so all endpoints contains localhost:8082
. That seems normal, since it’s how I set it up in the first place.
I tried to add a new realm
with a different Frontend URL
, calling it https://myapp.com
Now, my openid configuration contains https://myapp.com:8082/...
everywhere. All the workflows get wrongs URLs. What did I miss ? I cannot remove this port that I put in the first place, otherwise I will not be able to access the admin console. I thought I could do something with KC_HOSTNAME_ADMIN
, but unfortunately there is no KC_HOSTNAME_ADMIN_PORT
… or is there ?
I tried another approach : giving the port 443
instead of 8082
. I had to fight all the way to achieve this :
- Rewriting Kong’s
x-forwarded-port
thanks to this post - add a
/conf/quarkus-properties
containingquarkus.http.proxy.enable-forwarded-host=true
thanks to this post - Use 17.0.0 instead of latest tag. This is actually the most important thing.
- Tested tons of environment variables, proxy modes, etc.
At this point, I don’t even know what made it work, but it seems to work. The probleme is, I was obliged to expose /admin
endpoint on Kong, because localhost:8082
does not work anymore (of course ). Maybe this approach is better, but I’m still missing something ?
Thank you for reading