Keycloak behind IIS Reverse Proxy

Question

I just cant get my reverse proxy to work properly and I hope that someone can help me with that.

A few Informations:

1 VM Windows Server 2019,IIS 10 (with ARR and URL Rewrite Module),"keycloak" App under the "Default Website", proxy-address-forwarding="true" were added in the standalone.xml

keycloak is locally available at "localhost:8080". The default website is available from intern network (Port 80 is open, 8080 is closed). I want to use the IIS as a reverse proxy for keycloak. It should look like the following URL.

Request: "http://server_fqdn/keycloak" -> IIS Reverse Proxy -> localhost:8080

At first I tried it without "/keycloak" and it worked perfectly. After I added "/keycloak" it just shows 404 Errors. I saw that it tries to open "http://server_fqdn/auth" instead of "http://server_fqdn/keycloak/auth". If I enter "/keycloak/auth" manually it works. My first thought was to just write another Blank Inbound Rule which redirects "http://server_fqdn/auth" to "http://server_fqdn/keycloak/auth". It works, but now there is another problem. If i want to enter the admin console I get an error which says "Invalid parameter: redirect_uri".

It stops at the following URL (not complete, but the necessary part is there)

http://server_fqdn/keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fserver_fqdn%2Fkeycloak%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=.....

If i remove %2Fkeycloak after "redirect_uri" it works and i get the keycloak login screen. Maybe someone can help me here.

Inbound Reverse Proxy Rule:

<rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
    <match url="^keycloak/(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
    <action type="Rewrite" url="http://localhost:8080/{R:1}" />
    <serverVariables>
    </serverVariables>
</rule>

Outbound Reverse Proxy Rule:

<outboundRules>
    <clear />
    <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1" enabled="true">
        <match filterByTags="A, Area, Base, Form, Head, IFrame, Img, Input, Link, Script" pattern="^http://localhost:8080/(.*)" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="true">
        </conditions>
        <action type="Rewrite" value="http://server_fqdn/keycloak/{R:1}" />
    </rule>
    <preConditions>
        <preCondition name="ResponseIsHtml1">
            <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
        </preCondition>
    </preConditions>
</outboundRules>

Inbound Reverse Proxy Rule:

<rule name="keycloak" enabled="true" stopProcessing="true">
    <match url="^auth/(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
    <action type="Redirect" url="http://server_fqdn/keycloak/{R:0}" redirectType="Permanent" />
</rule>

You can easily observe what's wrong by enabling FRT, https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-failed-request-tracing-to-trace-rewrite-rules — Lex Li, Sep 15 '20 at 02:18

Keycloak behind IIS Reverse Proxy

0 Answers0