CODEWITHSUNDEEP
nginxdocker-composekeycloak
Helrho
Helrho

Reputation: 46

Keycloack in prod is stuck on loading admin page

I have a keycloak server deployed with docker behind a nginx reverse proxy. In dev mode all is working fine, but since I am trying to deploy it in prod I can acces the app but when I want to config my server from the admin console I'm stuck in this page :

enter image description here

Docker-compose

version: '3'

services:
   postgresql:
     image: postgres:latest
     command: postgres -c 'max_connections=200'
     networks:
       - keycloak-net
       - postgresql-net
     restart: always
     environment:
       - POSTGRES_USER=keycloak
       - POSTGRES_PASSWORD=password
       - POSTGRES_DB=keycloak
     volumes:
       - ./keycloak/postgresql:/var/lib/postgresql/data


   keycloak:
     image: quay.io/keycloak/keycloak:20.0.3
     networks:
       - proxy-net
       - keycloak-net
     restart: always
     command: start --spi-truststore-file-file /etc/x509/https/truststore.jks --spi-truststore-file-password password --spi-truststore-file-hostname-verification-policy ANY
     environment:
       - KC_HOSTNAME=keycloak
       - KC_HOSTNAME_STRICT=false
       - KC_PROXY=edge
       - KC_HOSTNAME_STRICT_HTTPS=false
       - KC_DB=postgres
       - KC_DB_URL_HOST=postgresql
       - KC_DB_URL_DATABASE=keycloak
       - KC_DB_PASSWORD=password
       - KC_DB_USERNAME=keycloak
       - KC_DB_SCHEMA=public
       - KEYCLOAK_ADMIN=admin
       - KEYCLOAK_ADMIN_PASSWORD=password
     depends_on:
       - postgresql
     volumes:
       - ./keycloak/stores:/etc/x509/https

networks:
    proxy-net:
        external: true
    keycloak-net:
        driver: bridge
    postgresql-net:
        driver: bridge

Keycloak logs on startup

keycloak_1     | Next time you run the server, just run:
keycloak_1     | 
keycloak_1     |        kc.sh start --optimized --spi-truststore-file-file=/etc/x509/https/truststore.jks --spi-truststore-file-password=password --spi-truststore-file-hostname-verification-policy=ANY
keycloak_1     | 
keycloak_1     | 2023-01-19 18:15:53,562 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: keycloak, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
keycloak_1     | 2023-01-19 18:15:57,778 WARN  [io.quarkus.agroal.runtime.DataSources] (main) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
keycloak_1     | 2023-01-19 18:16:00,549 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
keycloak_1     | 2023-01-19 18:16:00,555 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
keycloak_1     | 2023-01-19 18:16:00,658 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
keycloak_1     | 2023-01-19 18:16:00,742 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
keycloak_1     | 2023-01-19 18:16:01,352 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.10.Final
keycloak_1     | 2023-01-19 18:16:01,673 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
keycloak_1     | 2023-01-19 18:16:01,675 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
keycloak_1     | 2023-01-19 18:16:01,866 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
keycloak_1     | 2023-01-19 18:16:01,869 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB
keycloak_1     | 2023-01-19 18:16:01,870 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
keycloak_1     | 2023-01-19 18:16:01,872 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB
keycloak_1     | 2023-01-19 18:16:03,900 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 4b41e052f453-15754: no members discovered after 2003 ms: creating cluster as coordinator
keycloak_1     | 2023-01-19 18:16:03,933 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [4b41e052f453-15754|0] (1) [4b41e052f453-15754]
keycloak_1     | 2023-01-19 18:16:03,947 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `4b41e052f453-15754`, physical addresses are `[192.168.16.3:54114]`
keycloak_1     | 2023-01-19 18:16:05,038 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 4b41e052f453-15754, Site name: null
keycloak_1     | 2023-01-19 18:16:06,893 INFO  [io.quarkus] (main) Keycloak 20.0.3 on JVM (powered by Quarkus 2.13.6.Final) started in 17.483s. Listening on: http://0.0.0.0:8080
keycloak_1     | 2023-01-19 18:16:06,897 INFO  [io.quarkus] (main) Profile prod activated. 
keycloak_1     | 2023-01-19 18:16:06,899 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, smallrye-metrics, vault, vertx]
keycloak_1     | 2023-01-19 18:16:07,033 ERROR [org.keycloak.services] (main) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists

Note that the error at the end append beacause my db has already an admin. I have the same issue when strating from an empty db.

nginx.conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name myserver.fr;

    ssl_certificate /etc/nginx/ssl/live/myserver.fr/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/myserver.fr/privkey.pem;
        
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;
    
    location / {
        proxy_pass http://keycloak:8080;
    }
}

Network console web browser

enter image description here

Thanks in advance for your help !

I have tried a lot of configuration, I saw a lot of time that adding KC_HOSTNAME_STRICT_HTTPS=false on env variable is the solution. I tried but it does not work..

Upvotes: 1

Views: 2063

Answers (1)

Helrho
Helrho

Reputation: 46

With the help of @stdunbar I was able to solve this.

I had set KC_HOSTNAME to keycloak which is the hostname of the container in my docker network.

To solve my problem I set the KC_HOSTNAME to the real hostname accessible from browser : keycloak.mydomain.fr

Upvotes: 1

Related Questions