Reputation: 11
Keycloak 25.0.2 not running over HTTP on Azure Container App
We are deploying Keycloak 25.0.2 in Azure Container App, and we want to run Keycloak over HTTP (without certificate) but trying to access to URL exposed by Azure Container App with HTTPS (https://keycloak-server--u9hs5rq.proudrock-baec4025.northeurope.azurecontainerapps.io) we are getting the error showed in the screenshot.
As we can see in the Network tab is failing calling to "http://keycloak-server--u9hs5rq.proudrock-baec4025.northeurope.azurecontainerapps.io/resources/master/admin/en" but if we paste directly this url in the browser I getting the result without issues.
Browser console with the error
Realm settings configuration:
- General:
- Require SSL: None
- Security defenses:
- X-Frame-Options: SAMEORIGIN
- Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
- X-XSS-Protection: 1; mode=block
- HTTP Strict Transport Security (HSTS): max-age=31536000; includeSubDomains
We are creating Docker image with this Dockerfile:
FROM quay.io/keycloak/keycloak:25.0.2 as builder
ENV KC_DB=mssql
ENV KC_DB_URL="jdbc:sqlserver://keycloaktests.database.windows.net:1433;database=keycloak"
ENV KC_DB_USERNAME=***
ENV KC_DB_PASSWORD=****
ENV KEYCLOAK_ADMIN=**
ENV KEYCLOAK_ADMIN_PASSWORD=**
ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_HTTP_ENABLED=true
ENV KC_PROXY_HEADERS=forwarded
ENV KC_HTTPS_CLIENT_AUTH=none
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]
Azure Container App Ingress Configuration: Azure Container App Ingress Configuration
We've tried configured these environment variables in the Docker image configuration
ENV KC_HTTP_ENABLED=true
ENV KC_PROXY_HEADERS=forwarded
Also the Ingress configuration from Azure Container App as we can see in the screenshot to allow HTTP traffic, but trying to access to https://keycloak-server--u9hs5rq.proudrock-baec4025.northeurope.azurecontainerapps.io fails when try to get http://keycloak-server--u9hs5rq.proudrock-baec4025.northeurope.azurecontainerapps.io/resources/master/admin/en.
In other hand if I try to go directly to http://keycloak-server--u9hs5rq.proudrock-baec4025.northeurope.azurecontainerapps.io/resources/master/admin/en I can get the results without issues.
The expected behavior should get the Keycloak login page without issues.
Upvotes: 1
Views: 536
Answers (1)
Reputation: 3781
You are absolutely correct Jesus Corral. The issue was caused by Keycloak's handling of internal backchannel communications when the ingress was configured for HTTPS. In order to resolve this issue, you need to set the KC_HOSTNAME_BACKCHANNEL_DYNAMIC environment variable to true in your Docker config file. This environment variable ensures that Keycloak dynamically adjusts its internal backchannel communication to match the protocol used by the client (in your case, HTTPS).
Add the following line to your Dockerfile or set it as an environment variable in your Azure Container App configuration-
Updated Dockerfile
FROM quay.io/keycloak/keycloak:25.0.2 as builder
ENV KC_DB=mssql
ENV KC_DB_URL="jdbc:sqlserver://keycloaktests.database.windows.net:1433;database=keycloak"
ENV KC_DB_USERNAME=***
ENV KC_DB_PASSWORD=****
ENV KEYCLOAK_ADMIN=**
ENV KEYCLOAK_ADMIN_PASSWORD=**
ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_HTTP_ENABLED=true
ENV KC_PROXY_HEADERS=forwarded
ENV KC_HTTPS_CLIENT_AUTH=none
ENV KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]
Upvotes: 0
Related Questions
- How to configure Keycloak 18 running http only in production mode?
- Keycloak in Azure App service failed to start waiting for response to warmup request for container
- Running Keycloak container behing Nginx Reverse proxy with Docker swarm
- WSO2APIM error when adding Keycloak as key manager when both running in separate docker containers on localhost
- Keycloak Admin console not accessible
- Azure container app, how remove load balancer
- KeyCloak - ingress does not allow connecting over https service