CODEWITHSUNDEEP
keycloakreverse-proxycloudflaresynology
TheSwabian
TheSwabian

Reputation: 11

keycloak behind synology reverse proxy

I've got a keycloak docker container running on a synology rackstation. This rackstation is accessible via a public domain and protected by cloudflare upfront. I can access the keycloak instance in my local network, but not via a configured subdomain, that is served by the synology DSM reverse proxy. When I query the subdomain, it redirects me to the admin console of keycloak and after a while I get the following error message: "somethingWentWrongDescription".

Internet --> https://sso.example.com --> clouflare --> synology DSM reverse Proxy https://sso.example.com --> http://localhost:20600

The reverse proxy is configured with the following headers:

Header Value
X-Forwarded-For $proxy_add_x_forwarded_for
X-Forwarded-Proto $proxy_x_forwarded_proto
X-Real-IP $remote_addr
Upgrade $http_upgrade
Connection $connection_upgrade

The docker compose looks as follows:

version: '3.7'

services:
  db:
    image: postgres
    container_name: keycloak-db
    volumes:
      - /volume1/docker/keycloak/db:/var/lib/postgresql/data:rw
    environment:
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}

  keycloak:
    image: quay.io/keycloak/keycloak
    container_name: keycloak
    restart: on-failure:5
    command: start
    healthcheck:
      test: curl -f http://localhost:8080/ || exit 1
    environment:
      KC_PROXY_HEADERS: xforwarded
      KC_HTTP_ENABLED: true
      KC_HOSTNAME_STRICT: false
      KC_HTTP_RELATIVE_PATH: /auth
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://db/${POSTGRES_DB}
      KC_DB_USERNAME: ${POSTGRES_USER}
      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
    ports:
      - 20600:8080
    depends_on:
        - db

The hostname debug of keycloak: hostname-debug

What am I doing wrong?

I once got it running with a legacy version of keycloak being accessible from the subdomain, but I wanted to use the most up to date keycloak. Since then I'm not being able to get it running.

Keycloak behind reverse proxy did not help.

Upvotes: 0

Views: 941

Answers (1)

TheSwabian
TheSwabian

Reputation: 11

I finally got it working by setting the variable KC_HOSTNAME. My compose looks like follows:

keycloak:
  image: quay.io/keycloak/keycloak
  container_name: keycloak
  restart: on-failure:5
  command: start
  healthcheck:
    test: curl -f http://localhost:8080/ || exit 1
  environment:
    KC_PROXY_HEADERS: xforwarded
    KC_HTTP_ENABLED: true
    KC_HOSTNAME_STRICT: false
    KC_HTTP_RELATIVE_PATH: /
    KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
    KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
    KC_DB: postgres
    KC_DB_URL: jdbc:postgresql://db/${POSTGRES_DB}
    KC_DB_USERNAME: ${POSTGRES_USER}
    KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
    KC_HOSTNAME_DEBUG: true
    KC_LOG_LEVEL: debug
    KC_HOSTNAME_BACKCHANNEL_DYNAMIC: false
    KC_HOSTNAME: https://sso.example.com
  ports:
    - 20600:8080
  depends_on:
    - db

Upvotes: 1

Related Questions