44

How can I set the docker keycloak base url as parameter ?

I have the following nginx reverse proxy configuration:

server {
    listen 80;
    server_name example.com;

    location /keycloak {
        proxy_pass http://example.com:8087/;
    }
}

When I try to access http://example.com/keycloak/ I got a keycloak http redirect to http://example.com/auth/ instead of http://example.com/keycloak/auth/

Any ideas?

François Maturel
  • 5,884
  • 6
  • 45
  • 50
louis amoros
  • 2,418
  • 3
  • 19
  • 40
  • FrancoisMaturel suggestion: `location /keycloak { proxy_pass http://example.com:8087/keycloak;}` @FrançoisMaturel I tried what you suggested but it did not work – louis amoros Jun 19 '17 at 07:55

6 Answers6

62

Just tested that @home, and actually multiple configuration additions are needed:

1/ Run the keycloak container with env -e PROXY_ADDRESS_FORWARDING=true as explained in the docs, this is required in a proxy way of accessing to keycloak:

docker run -it --rm -p 8087:8080 --name keycloak -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:latest

Also explained in this SO question

2/ Change the web-context inside keycloak's configuration file $JBOSS_HOME/standalone/configuration/standalone.xml

Default keycloak configuration points to auth

<web-context>auth</web-context>

Then you could change it to keycloak/auth

<web-context>keycloak/auth</web-context>

If you need to automate this for docker, just create a new keycloak image :

FROM jboss/keycloak:latest

USER jboss

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml

3/ Add some proxy information to nginx configuration (mostly for http / https handling)

location /keycloak {
    proxy_pass http://example.com:8087;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

If you are proxying requests from nginx to keycloak on same server, I recommend using proxy_pass http://localhost:8087;, and if not try to use a private network to avoid proxying through external web requests.

Hope this helps

François Maturel
  • 5,884
  • 6
  • 45
  • 50
  • Are these dependent steps? Or there 3 ways to tackle this issue? – nurgasemetey Dec 15 '18 at 07:23
  • @nurgasemetey, all thoses steps are needed to resolve this issue – François Maturel Dec 17 '18 at 09:31
  • It seems like this approach leads to subtile semantic errors - see https://issues.jboss.org/browse/KEYCLOAK-11529 for an example that is currently hitting me ... – col.panic Oct 15 '19 at 07:13
  • @col.panic this seems to be related to latest version of keycloak, please update me if you find a working solution – François Maturel Oct 15 '19 at 12:32
  • 1
    @FrançoisMaturel please see the resp. jboss ticket - i find a workaround/solution – col.panic Oct 15 '19 at 13:55
  • Just an upgrade - My nginx is hidden behind Apache and all internal requests are forwarded over http, so header `X-Forwarded-Proto $remote_addr` did not work for me. I had to set `X-forwarded-Proto https`. Otherwise browser was yelling at me some errors with https -> http insecure requests, – Kuba Šimonovský May 18 '20 at 07:16
  • I am using keycloak behind a nginx proxy and had the same issue. For me it was enough to just give keycloak the env variable PROXY_ADDRESS_FORWARDING=true. The other configuration might not be necessary in every case. – Marc B. Apr 17 '21 at 09:15
  • That's not really good... what if in production they can set up any context path they want? This is a build-time solution but I need a runtime approach. We manage the context-path totally with ingress which is the infrastructure's team responsibility and during the development we don't know what context-path they want to choose. Is it possible to replace the `web-context` with an environment variable? – xbmono Jul 13 '21 at 22:56
  • @MarcB. I am using keycloak behind a nginx proxy and for me it was necessary to add the configuration under 3/. I wonder what's the difference. Are you running within a docker(-compose) environment? – Markus Rohlof Jan 03 '22 at 12:45
  • @MarkusRohlof I just checked again and we are not using any of the configurations under 3/. And yes, we run it in within a docker-compose env. – Marc B. Jan 03 '22 at 16:53
18

The redirect from /keycloak to /keycloak/auth isn't working. The redirect route in index.html and Base-URL is missing the /keycloak part. I had to add this:

FROM jboss/keycloak:latest

USER jboss

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/\/auth/\/keycloak\/auth/' $JBOSS_HOME/welcome-content/index.html
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/domain/configuration/domain.xml
ntg
  • 12,950
  • 7
  • 74
  • 95
Andreas Burghardt
  • 301
  • 3
  • 11
  • This sadly did not help for me on Keycloak v11.0.2 - there are possibly even more instances which need to be replaced meanwhile? – pat-s Oct 17 '20 at 07:10
  • 2
    @pat-s there are some new files: `RUN sed -i -e 's/auth<\/web-context>/keycloak\/auth<\/web-context>/' $JBOSS_HOME/domain/configuration/domain.xml` – mirisbowring Dec 05 '20 at 19:09
  • Tested, adding it to answer... – ntg Feb 22 '22 at 09:09
10

Building on @Francois Maturel's response: for the latest Keycloak (currently 4.8.x), I had to add an additional line to replace the web-context in standalone-ha.xml as well:

FROM jboss/keycloak:latest
USER jboss
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/\/auth/\/keycloak\/auth/' /opt/jboss/keycloak/welcome-content/index.html

The reason is that the docker-entrypoint.sh startup script will use standalone-ha.xml configuration in addition to standalone.xml unless the -c flag is passed. See here: https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/docker-entrypoint.sh

ntg
  • 12,950
  • 7
  • 74
  • 95
Mark
  • 4,970
  • 5
  • 42
  • 66
  • Worked, but e.g. `localhost:8080/` was still directed to `localhost:8080/auth` instead of `localhost:8080/keycloak/auth` , added a line for index.html to fix... But maybe @Andreas_Burghardt answer is more complete... – ntg Feb 22 '22 at 09:02
7

In Keycloak 18.x you can't use web-context anymore.

There is now a new argument http-relative-path, which contains the path relative to '/'.

CLI: --http-relative-path

Env: KC_HTTP_RELATIVE_PATH

Dennis Meissel
  • 1,825
  • 1
  • 21
  • 33
2

i can also confirm that when using docker image keycloak 6.0.1 standalone-ha.xml file also needs to be changed using the sed command...

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
Prageeth Athulathmudali
  • 67
  • 1
  • 6
2

In my case, I have an existing Keycloak (v8.0.1) on Docker, so I had to update the database as well.

  1. Launch Keycloak Docker container with the following environment variable:

    PROXY_ADDRESS_FORWARDING: 'true'

  2. Update the database. I'm using Postgres.

    psql -U keycloak -d keycloak

    update realm set ssl_required='NONE';

  3. Restart Keycloak

Example for Postgres DB, by Sairam Krish

Carlo Ledesma
  • 406
  • 1
  • 3
  • 7