Reputation: 607
How can I configure a containerized Keycloak-gatekeeper to act as a reverse proxy?
I'd like to accomplish the following configuration to provide authentication and authorization for a web server:
Each server is a separate Docker container.
In particular, I'm using the following docker-compose.yml:
version: '3'
volumes:
mysql_data:
driver: local
services:
apache:
image: bitnami/apache:2.4
mysql:
image: mysql:5.7
volumes:
- mysql_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: password
keycloak:
image: jboss/keycloak
environment:
DB_VENDOR: MYSQL
DB_ADDR: mysql
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: Pa55w0rd
ports:
- 8080:8080
depends_on:
- mysql
keycloak-gatekeeper:
image: bitnami/keycloak-gatekeeper:2-scratch
ports:
- '3000:3000'
volumes:
- ./keycloak-gatekeeper.conf:/etc/keycloak-gatekeeper.conf
command:
- /keycloak-proxy
- "--config=/etc/keycloak-gatekeeper.conf"
As you can see, the reverse proxy (Keycloak-gatekeeper) is listening on port 3000 which is also exposed by Docker. What I want to accomplish is that accessing http://server_host:3000 the user is redirected to Keycloak for authentication, and if this is successful, to the web server which is listening on port 8080.
This is the keycloak-gatekeeper.conf I'm using:
# is the url for retrieve the OpenID configuration - normally the <server>/auth/realm/<realm_name>
discovery-url: http://keycloak_keycloak_1:8080/auth/realms/master
# the client id for the 'client' application
client-id: gatekeeper
# the secret associated to the 'client' application
client-secret: 396af61a-b05b-417b-8153-0f827c0aab6e
# the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>', unix sockets as unix://<REL_PATH>|</ABS PATH>
listen: 127.0.0.1:3000
# whether to enable refresh tokens
enable-refresh-tokens: false
# the redirection url, essentially the site url, note: /oauth/callback is added at the end
redirection-url: http://127.0.0.1:3000
# the upstream endpoint which we should proxy request
upstream-url: http://apache:8080/
secure-cookie: false
# a collection of resource i.e. urls that you wish to protect
# ======================================================================
resources:
- uri: /*
methods:
- GET
However, given this configuration, accessing the URL http://server_host:3000 the browser shows an ERR_CONNECTION_REFUSED.
What could be the problem?
Upvotes: 2
Views: 2876
Answers (1)
Reputation: 111
I had the same problem when using 127.0.0.1:3000 in the listen statement. Try :3000 instead.
Upvotes: 3
Related Questions
- Configure reverse-proxy for Keycloak docker with custom base URL
- Keycloak SSL setup using docker image
- Keycloak in Docker with proxy such as nginx using non-standard ports
- Keycloak docker Administration Console shows blank page with reverse proxy
- Nginx reverse proxy for keycloak
- Keycloak behind reverse proxy mixes internal and external addresses
- Connection refused when connecting to keycloak container from backend container
- Keycloak gatekeepr behind nginx ingress reverse proxy
- Use Keycloak Gatekeeper in front of backend API
- Keycloak Gatekeeper (forwarding proxy) does nothing