Reputation: 301
Infinite loop after logging in with Keycloak behind a reverse proxy
My scenario
I have a server with IP x.x.x.x
My web application is running on port 8083 of the server.
Keycloak (deployed with docker) is running on port 8080 of the server.
I want to setup nginx so that when I visit my-website.com, it will redirect to my web app at x.x.x.x:8083, and when I visit my-website.com/auth, it will redirect to Keycloak at x.x.x.x:8080. I also use SSL for my website.
Here's my nginx ssl.conf file
upstream upstream_auth {
server 127.0.0.1:8080;
}
server {
listen 80;
listen [::]:80;
server_name my-website.com www.my-website.com;
return 301 https://my-website.com;
}
server {
listen 443;
ssl on;
server_name my-website.com;
ssl_certificate /etc/ssl/my-website.crt;
ssl_certificate_key /etc/ssl/my-website.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
root /var/lib/tomcat7/webapps/ROOT/;
client_max_body_size 50M;
location / {
proxy_pass http://127.0.0.1:8083/;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/{
proxy_pass http://upstream_auth;
proxy_http_version 1.1;
proxy_set_header URI_REQUEST_ORIGIN $request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_pass_header Set-Cookie;
proxy_set_header Connection **;
proxy_set_header Proxy **;
}
}
My problem:
When I visit my-website.com/auth, it takes me to keycloak landing page (as I expect). Then I click on Administrator Console and then login to Master Realm of Keycloak, the browser seems to stuck in an infinite loop of https://my-website.com/auth/admin/master/console/ and https://my-website.com/auth/admin/master/console/#state={constantly-changing-string}&session_state=xxx&code={another-constantly-changing-string}.
I've been searching for solution and there seems to be many reasons that may cause this happen.
What am I doing wrong here?
Upvotes: 0
Views: 5034
Answers (1)
Reputation: 301
Just figured out how to fix my issue.
I add the following line in my docker-compose for Keycloak, and everything works fine now:
PROXY_ADDRESS_FORWARDING: 'true'
As written in https://hub.docker.com/r/jboss/keycloak/:
When running Keycloak behind a proxy, you will need to enable proxy address forwarding.
docker run -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak
Not sure why it works tho. If anyone can explain, please do. I would like to understand my problem here.
Upvotes: 4
Related Questions
- keycloak behind nginx login fails, port number missing from post etc
- Keycloak 19.0 behind nginx (https) admin console does not load
- keycloak Invalid parameter: redirect_uri behind a reverse proxy
- Dokku keycloak too many redirects
- Keycloak behind reverse proxy mixes internal and external addresses
- Keycloak docker HTTPS-REQUIRED with nginx ssl
- Authentification with keycloak behind a reverse proxy is failing
- Keycloak behind reverse proxy
- Combination of using nginx as a reverse proxy with keycloak as upstream server fails
- How to get nginx to handle https for keycloak