I’m trying to setup a Keycloak instance to handle the users of my webapp. This instance would be, like all other microservices, hidden behind my reverse proxy (Kong, it’s a nginx-based proxy).
On my local setup, Kong listens to
localhost:443, and keycloak listens to
localhost:8082/auth. To achieve that, I used several environment variables on my Keycloak container :
ENV KC_HOSTNAME=localhost ENV KC_HOSTNAME_PORT=8082 ENV KC_HOSTNAME_STRICT_HTTPS=false ENV KC_PROXY=edge ENV PROXY_ADDRESS_FORWARDING=true ENV KC_HTTP_ENABLED=true ENV KC_HTTP_PORT=8082 KC_HTTP_RELATIVE_PATH=/auth
The setup of Kong configuration looks fine, and the keycloak endpoints that I need are exposed correctly through Kong (
/robots.txt, like the doc said). Kong handles the TLS connection, and then speaks to all microservices with
HTTP only, thus
/admin is not exposed, I thought I could access this locally using
localhost:8082 on the right machine.
I checked, Kong is accurately sending additionnal headers :
'x-forwarded-for' 'x-forwarded-proto' 'x-forwarded-host' 'x-forwarded-port' 'x-forwarded-path' 'x-forwarded-prefix'
It also leaves the
If I go to
https://localhost/auth/realms/master/.well-known/openid-configuration, I get the configuration. However, Keycloak does not know it’s behind Kong, so all endpoints contains
localhost:8082. That seems normal, since it’s how I set it up in the first place.
I tried to add a new
realm with a different
Frontend URL, calling it
https://myapp.com Now, my openid configuration contains
https://myapp.com:8082/... everywhere. All the workflows get wrongs URLs. What did I miss ? I cannot remove this port that I put in the first place, otherwise I will not be able to access the admin console. I thought I could do something with
KC_HOSTNAME_ADMIN, but unfortunately there is no
KC_HOSTNAME_ADMIN_PORT… or is there ?
I tried another approach : giving the port
443 instead of
8082. I had to fight all the way to achieve this :
- Rewriting Kong’s
x-forwarded-portthanks to this post
- add a
quarkus.http.proxy.enable-forwarded-host=truethanks to this post
- Use 17.0.0 instead of latest tag. This is actually the most important thing.
- Tested tons of environment variables, proxy modes, etc.
At this point, I don’t even know what made it work, but it seems to work. The probleme is, I was obliged to expose
/admin endpoint on Kong, because
localhost:8082 does not work anymore (of course ). Maybe this approach is better, but I’m still missing something ?
Thank you for reading