CODEWITHSUNDEEP
nginxkeycloak
Manuel Mauky
Manuel Mauky

Reputation: 2193

Keycloak Admin console not accessible

I'm trying to setup Keycloak on a root server but I cannot access the admin console from the internet. I've installed the keycloak server and put it behind an nginx reverse proxy on the same machine. I've setup a letsencrypt cert for the domain. I've also setup the admin user for keycloak via script.

When I visit the server with it's domain https://<my-domain> I'm forwarded to https://<my-domain>/auth and there is the keycloak welcome page with a link to "Administration Console". This link points to https://<my-domain>/admin but shows a 404.

At first I thought this might be a problem with nginx so I followed the guide in the docs to setup a load-balancer (https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy). There, under "Verify Configuration" it tells you to open the path https://<my-domain>/auth/realms/master/.well-known/openid-configuration which works as expected and I get a json file with several links and other information in it. However, none of those links do work - all give me a 404.

When I try https://<my-domain>/auth/realms/master I get a JSON response. So some links do work so I think it's not a problem with nginx but with keycloak itself.

So the basic question is: How do I configure Keycloak so that I can access the admin console via internet? I've read that by default you can only access it on localhost but there must be a way to overwrite this default?

The relevant nginx config:

upstream keycloak {
    server 127.0.0.1:8080;
}

server {
    listen 443 ssl http2;
    # some ssl configuration for letsencrypt

    location / {
        proxy_pass          http://keycloak;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Host    $host;
        proxy_set_header    X-Forwarded-Server  $host;
        proxy_set_header    X-Forwarded-Port    $server_port;
        proxy_set_header    X-Forwarded-Proto   $scheme;
    }
}

Some parts in keycloak/standalone/configuration/standalone.xml that I've edited:

<subsystem xmlns="urn:jboss:domain:undertow:10.0" ...>
    ...
    <server name="default-server">
        <http-listener name="default" 
            socket-binding="http" 
            redirect-socket="proxy-https"
            enable-http2="true"
            proxy-address-forwarding="true" />
        ...
    </server>
    ...
</subsystem>
...
<interfaces>
    <interface name="management">
        <any-address />
    </interface>
    <interface name="public">
        <any-address />
    </interface>
</interfaces>
<socket-binding-group name="standard-sockets" ...>
    ...
    <socket-binding name="proxy-https" port="443" />
    ...
</socket-binding-group>

EDIT

I was able to fix it. The problem was that keycloak was redirecting the initial page from https://<my-domain>/ to https://<my-domain>/auth but then in all other links this additional /auth was missing. So the admin link was pointing to https://<my-domain>/admin/master/console without the /auth part and this page wasn't existing. When I was manually typing the URL with /auth in it I got a page with a "loading.." message but all style and JavaScript files linked where also missing the /auth part in their URLs so nothing was working.

To fix this I had now changed in standalone.xml the line <web-context>auth</web-context> to <web-context>/</web-context> and now everything behaves as expected. There is no redirecting anymore at the start page and all links do work without the /auth part in it. However, it would be interesting why it wasn't working in the first place and how one solve this if the /auth redirection was intended.

Upvotes: 23

Views: 53172

Answers (4)

Jojo Gee
Jojo Gee

Reputation: 13

add this ENV KC_TRANSACTION_XA_ENABLED=false

Upvotes: 0

daniel rubambura
daniel rubambura

Reputation: 575

I had the same issue with keycloak instances behind nginx reverse proxy in my kubernetes cluster. I fixed it by setting the env PROXY_ADDRESS_FORWARDING to true. PROXY_ADDRESS_FORWARDING=true

Upvotes: 12

Jess
Jess

Reputation: 8700

You helped me solve my issue. I was setting the java system property keycloak.frontendUrl (or env KEYCLOAK_FRONTEND_URL), and apparently it wants a full url, not just the hostname. Appending /auth fixed my redirect problems.

It looks like keycloak.hostname.fixed.hostname (KEYCLOAK_HOSTNAME) may also cause problems if /auth isn't appended.

See docs for details on the hostname provider here: https://www.keycloak.org/docs/latest/server_installation/index.html#hostname

Upvotes: 21

Julian Egner
Julian Egner

Reputation: 281

Try open /auth/admin/master/console/ in a Browser.

Additional Info:

https://www.keycloak.org/docs/latest/getting_started/index.html

https://www.keycloak.org/docs-api/8.0/rest-api/index.html

Oh, and I recommend to use a dockerized Keycloak. The upgrade path to a newer Version if much easier.

Upvotes: -3

Related Questions