0

I have set up Keycloak (docker container) on the GCP Compute Engine (VM). After setting the sslRequired=none, I'm able to access Keycloak over a public IP (e.g. http://33.44.55.66:8080) and manage the realm.

I have configured the GCP CLassic (HTTPS) Load Balancer and added two front-ends as described below. The Load Balancer forwards the request to the Keycloak instance on the VM.

In the browser, the HTTP URL works fine and I'm able to login to Keycloak and manage the realm. However, for the HTTPS URL, I get the below error

Mixed Content: The page at 'https://my-domain.com/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure script 'http://my-domain.com/auth/js/keycloak.js?version=gyc8p'. This request has been blocked; the content must be served over HTTPS.

Note: I tried this suggestion, but it didn't work

Can anyone help with this, please?

Sahil Khanna
  • 4,262
  • 8
  • 47
  • 72
  • `sslRequired=none` is insecure. Keycloak should be available only via https protocol, so make sure you have configured proper ssl offloading. – Jan Garaj Dec 09 '21 at 08:38
  • @JanGaraj, I get the same error even when `sslRequired=ALL` or `sslRequired=EXTERNAL`. Any suggestions to resolve this issue? – Sahil Khanna Dec 09 '21 at 10:49
  • SSL offloading must be configured properly, so Keycloak container with `PROXY_ADDRESS_FORWARDING=true` and LB with proper request header X-Forwarded-* configuration. https://stackoverflow.com/questions/47068266/keycloak-docker-behind-loadbalancer-with-https-fails – Jan Garaj Dec 09 '21 at 13:49
  • @JanGaraj, this worked for me. You may post this as an answer. Thanks. – Sahil Khanna Dec 09 '21 at 14:50

1 Answers1

1

I would never expose Keycloak on plain http protocol. Keyclok admin console itself is secured via OIDC protocol and OIDC requires to use https protocol. So default sslRequired=EXTERNAL is safe and smart configuration option from the vendor.

SSL offloading must be configured properly:

  • Keycloak container with PROXY_ADDRESS_FORWARDING=true
  • loadbalancer/reverse proxy (nginx, GCP Classic Load Balancer, AWS ALB, ...) with proper request header X-Forwarded-* configuration, so Keycloak container will know correct protocol, domain which is used for the users
Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • GCP Classic Load balancer preserves the `X-Forwarded-*` headers in the request. This is documented in the Load Balancer support pages. – Sahil Khanna Dec 10 '21 at 03:16