Using Keycloak with Nginx reverse proxy causes 502 bad gateway error

Question

I am very new both to Keycloak and Nginx. I am trying to deploy Keycloak as a route on my website under /keycloak. However, I am getting an error of 502 bad gateway.

My nginx configuration is the following (I replaced the name of my actual website with mywebsite).

Setup

server {
    server_name mywebsite.com www.mywebsite.com;

    location /.well-known/acme-challenge/ {
        root /var/www/letsencrypt;
    }

    location / {
        root /var/www/mywebsite/cba-frontend/dist;
        try_files $uri $uri/ /index.html;
    }

    location /keycloak/ {  
        proxy_pass http://localhost:8080; 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Prefix /keycloak;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.mywebsite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = mywebsite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name mywebsite.com www.mywebsite.com;
    return 404; # managed by Certbot
}

Then, I created a docker file to Keycloak:

FROM quay.io/keycloak/keycloak:latest as builder

ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/
WORKDIR /opt/keycloak

ENV KC_HOSTNAME=mywebsite.com
ENV KC_PROXY=edge
ENV KC_HTTP_RELATIVE_PATH=/keycloak

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

Lastly, I have a docker compose file to put this all together

version: '3.8'

services:
  keycloak:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: custom-keycloak
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_HOSTNAME=mywebsite.com
      - KC_PROXY=edge
      - KC_HTTP_RELATIVE_PATH=/keycloak
    volumes:
      - keycloak_data:/opt/keycloak/data
    networks:
      - keycloak-network

networks:
  keycloak-network:
    driver: bridge

volumes:
  keycloak_data:

The issue

When I go to https://www.mywebsite.com/keycloak/, it throws and error of 502 Bad Gateway with Nginx.

The Nginx error log shows the error of (The client IP wasn't all zeros - I did that just for display purposes):

2024/05/23 16:32:34 [error] 101198#101198: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 00.00.000.00, server: mywebsite.com, request: "GET /keycloak/ HTTP/1.1", upstream: "http://127.0.0.1:8080/keycloak/", host: "www.mywebsite.com"

My keycloak does not show any notable errors

2024-05-23 16:16:20,064 WARN  [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
        - proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-05-23 16:16:21,699 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: , Hostname: mywebsite.com, Strict HTTPS: true, Path: , Strict BackChannel: false, Admin URL: , Admin: , Port: -1, Proxied: true
2024-05-23 16:16:22,888 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-05-23 16:16:23,496 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
2024-05-23 16:16:23,859 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2024-05-23 16:16:23,882 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 45137773-0601-447c-9194-18d2540e72f8, name: e60985799b73-886
2024-05-23 16:16:23,934 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-05-23 16:16:23,934 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
2024-05-23 16:16:23,934 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-05-23 16:16:23,935 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
2024-05-23 16:16:23,986 INFO  [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.36638
2024-05-23 16:16:26,024 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) e60985799b73-886: no members discovered after 2024 ms: creating cluster as coordinator
2024-05-23 16:16:26,067 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [e60985799b73-886|0] (1) [e60985799b73-886]
2024-05-23 16:16:26,138 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `e60985799b73-886`, physical addresses are `[172.27.0.2:52174]`
2024-05-23 16:16:26,188 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-05-23 16:16:27,979 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource  enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-05-23 16:16:29,949 WARN  [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-05-23 16:16:30,471 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: e60985799b73-886, Site name: null
2024-05-23 16:16:30,475 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-05-23 16:16:32,724 INFO  [io.quarkus] (main) Keycloak 24.0.4 on JVM (powered by Quarkus 3.8.4) started in 14.131s. Listening on: http://0.0.0.0:8080
2024-05-23 16:16:32,727 INFO  [io.quarkus] (main) Profile prod activated.
2024-05-23 16:16:32,727 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, vertx]

How can I correctly configure my keycloak to work for an Nginx reverse proxy? I think I am close, but somewhere a header is incorrect and the connection is refused. sudo docker ps shows the contain is running, and so is the bridge:

fea3c118df24   bridge                           bridge    local
8df754b5793d   cadaskeycloak_keycloak-network   bridge    local
7707e0966816   host                             host      local
117517046e9d   none                             null      local

Using Keycloak with Nginx reverse proxy causes 502 bad gateway error

Setup

The issue

Answers (1)

Related Questions