Keycloak Admin Console behind Nginx configured to use HTTPS

Question

I'm trying to set up Keycloak, however the tutorials expect me to visit http://localhost:8080, but I'm setting it up on a remote host and need to access the admin console externally. I've tried to expose it via Nginx. Keycloak Administration Console seems to work with the new domain name and port seamlessly, but it still tries to use the "http" urls instead of the "https" ones (I've the Nginx configured to redirect HTTP to HTTPS and I want to keep it that way for security reasons). I have found the problem is that it internally sets a variable:

var authServerUrl = 'http://example.com/auth';

While the correct url would be https://example.com/auth.

As a result, when I open https://example.com/auth/admin/master/console/ in the browser, I get the error:

Refused to frame 'http://example.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".

How to fix that? The Nginx config I use is:

server {
    server_name    example.com;

    listen         80;
    listen         [::]:80;

    location / {
      return         301 https://$server_name$request_uri;
    }
}

ssl_session_cache shared:ssl_session_cache:10m;

server {
    server_name example.com;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # ... <SSL and Gzip config goes here> ...

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://127.0.0.1:8080;

        client_max_body_size 16m;
    }
}

Does this answer your question? [Using Keycloak behind a reverse proxy: Could not open Admin loginpage because mixed Content](https://stackoverflow.com/questions/47181821/using-keycloak-behind-a-reverse-proxy-could-not-open-admin-loginpage-because-mi) — Evil_skunk, Nov 22 '20 at 17:57
@Evil_skunk Not sure but where should these "X-Forward..." type of headers attached? in configMap or as an annotation in ingress. BTW I'm using Nginx Ingress Controller. — Andrew, Feb 15 '23 at 11:15

score 5 · Answer 1 · answered Nov 22 '20 at 19:49

You are doing SSL offloading in the nginx, but you need to forward information that https schema was used also to the Keycloak (X-Forwarded-Proto header). Try this:

server {
    server_name    example.com;

    listen         80;
    listen         [::]:80;

    location / {
      return         301 https://$server_name$request_uri;
    }
}

ssl_session_cache shared:ssl_session_cache:10m;

server {
    server_name example.com;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # ... <SSL and Gzip config goes here> ...

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Proto $scheme;        
        proxy_pass http://127.0.0.1:8080;

        client_max_body_size 16m;
    }
}

You saved me. thanks you – Ayoub Anbara Nov 13 '21 at 22:46 — Ayoub Anbara, Nov 13 '21 at 22:46

Keycloak Admin Console behind Nginx configured to use HTTPS

1 Answers1