1

i just set up a keycloak docker container as follows:

docker run --name keycloak --net keycloak-network -e DB_ADDR=mysql -e DB_DATABASE=keycloak -e DB_USER=keycloak -e DB_PASSWORD=mypassword -d -p 8088:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=mypassword -e KEYCLOAK_HOSTNAME="keycloak.example.net" -e PROXY_ADDRESS_FORWARDING=true -e KEYCLOAK_HTTPS_PORT=443 jboss/keycloak

On my server, i have an apache2 webserver running, with the follwing configuration file for my sites-available "keycloak.example.net":

<virtualhost keycloak.example.net:80>
    ServerName keycloak.example.net

    Redirect permanent / https://keycloak.example.net/
</virtualhost>

<virtualhost keycloak.example.net:443>
    ServerName keycloak.example.net

    SSLEngine On

    SSLCertificateFile /etc/letsencrypt/live/keycloak.example.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/keycloak.example.net/privkey.pem

    SSLProxyEngine on
    ProxyPreserveHost On

    <location />
        Order allow,deny
        Allow from all
        Require all granted
        ProxyPass http://localhost:8088/
        ProxyPassReverse http://localhost:8088/
    </location>
</virtualhost>

My apache webserver already redirects me (forces https as you can see) correctly to my docker container running on port 8088 on my host machine, on docker-containers internal port 8080.

As soon as i visit https://keycloak.example.net/auth - it tries to redirect me to the corret keycloak-site, but then throws this error:

HTTPS required

What do i have to change to make it work?

enter image description here

waldemar_enns
  • 414
  • 4
  • 14
  • I suddenly started seeing this error today. I am confused because I've been using the same configuration and keycloak image for a long time. Perhaps there is a time-dependency at play? – Mario Jul 10 '19 at 10:39
  • My setup is entirely source controlled, so I'm still puzzled why it broke. Nonetheless, in case it helps others: I changed the `master` realm's `sslRequired` setting to `none` from `external`. I haven't figured out why `external` worked previously. – Mario Jul 10 '19 at 11:05
  • @Mario what is your setup? Do you run a container or did you build from source? – waldemar_enns Jul 12 '19 at 13:44
  • Have you had a look at this answer https://stackoverflow.com/questions/47068266/keycloak-docker-behind-loadbalancer-with-https-fails/47069143#47069143 It seems that this is a very similar case. – Boomer Jul 12 '19 at 14:40
  • @WaldemarEnns In production, we run on Kubernetes, but the setup in question was for local development. We're running the `jboss/keycloak` docker image. The docker image supports migrations so we use JSON configuration files to setup our realm and some scripts to enable services accounts. – Mario Jul 12 '19 at 17:35

1 Answers1

1

Solution

So i finally could fix my bug in this way:

  1. Edit my keycloak.example.conf in the /etc/apache2/sites-available directory:
...
<virtualhost keycloak.example.net:443>
...
RequestHeader set X-Forwarded-Proto "https"
...
  1. Make sure to enable the headers module in apache: a2enmod headers
  2. Restart my apache server: service apache2 restart

Conclusion

So it seems that i just did not configure my apache server to forward the https traffic in the necessary way.

I hope i can help someone with this solution and save you some time with that. Big thanks to @Boomer , who has posted the necessary link and to @Mario , who supported this lonely question and showed me his solutions.

waldemar_enns
  • 414
  • 4
  • 14