Reputation: 855
Keycloak behind reverse proxy
I installed keycloak standanlone on a server and try to use it behind a reverse Proxy through nginx. Keycloak is bind to 127.0.0.1
That it my nginx vhost config:
server {
server_name auth.dp.net;
location /auth {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/auth.dp.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/auth.dp.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = auth.dp.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name auth.dp.net;
return 404; # managed by Certbot
}
But when I access https://auth.dp.net/auth I get the following keycloak error:
Invalid parameter: redirect_uri
What is misssing in my configuration?
Upvotes: 2
Views: 11509
Answers (2)
Reputation: 166
Go to your Keycloak Client's Settings and change Valid Redirect Uri to *.
Valid redirect Uri's are a security mechanism of Keycloak that restrict to where a redirect can happen. In production it should be as exact as possible to ensure a secure connection.
Upvotes: 1
Reputation: 5941
A / or two, and maybe an =.
location /auth {
proxy_pass http://localhost:8080;
If your proxy pass directive is naked, ie has no path specified (as yours is above) then the entire request path will be appended to the proxy pass url.
So your configuration above will result in a request to https://auth.dp.net/auth being proxied to http://localhost:8080/auth/.
If you add anything, even just a slash to your proxy pass directive then whatever you add will replace the matching part of your location directive. So to pass the request to the proxy with no path you need to add a slash. So this might work:
location /auth {
proxy_pass http://localhost:8080/;
However, as Nginx likes to add a trailing slash when proxying if the request url doesnt have one it might not work. So you either tell Nginx to match exactly by changing your location directive to:
location = /auth {
Or you anticipate the fact it's going to rewrite your request and change it to:
location /auth/ {
Or if you really want to be a pro you create two identical blocks. One with = /auth and the other with /auth/
This wins because:
- If you use
= /auththen a request tohttps://auth.dp.net/auth/will not match, so not get proxied. - If you use
/auth/it will work for bothhttps://auth.dp.net/authandhttps://auth.dp.net/auth/but the former will trigger an internal rewrite within Nginx to add the/, effectively doubling your server load for auth requests.
Upvotes: 1
Related Questions
- Configure reverse-proxy for Keycloak docker with custom base URL
- Keycloak behind apache reverse proxy
- keycloak behind nginx login fails, port number missing from post etc
- Setup a nginx reverse proxy for keycloak
- Keycloak path settings
- keycloak Invalid parameter: redirect_uri behind a reverse proxy
- Nginx reverse proxy for keycloak
- Keycloak behind reverse proxy mixes internal and external addresses
- Authentification with keycloak behind a reverse proxy is failing
- Combination of using nginx as a reverse proxy with keycloak as upstream server fails