Keycloak docker HTTPS-REQUIRED with nginx ssl
Keycloak docker HTTPS-REQUIRED with nginx ssl
我是第一次使用 keycloak 进行生产。我在我的本地机器上 运行 keycloak,从未遇到过这个问题。首先,我使用 docker 到 运行 keycloak 服务器。 docker 图片来自 jboss/keycloak。我已经在我的域 test.com
上使用 letsEncrypt 设置了我的 SSL
在 运行 设置 docker 图像后,当我单击管理控制台时,我最终收到错误 HTTPS-REQUIRED。从 HERE HERE and HERE 阅读了很多相关内容后,我意识到我需要在我的域上使用 SSL,我确实这样做了。
我也在 docker 命令中传递了 PROXY_ADDRESS_FORWARDING=true。我就是这样运行的。
docker run -e KEYCLOAK_USER=temp -e KEYCLOAK_PASSWORD=temp -e PROXY_ADDRESS_FORWARDING=true -p 9090:8080 jboss/keycloak
我的 NGINX 服务器块看起来像
map $sent_http_content_type $expires {
default off;
text/html epoch; #means no cache, as it is not a static page
text/css max;
application/javascript max;
application/woff2 max;
~image/ 30d; #it is only the logo, so maybe I could change it once a month now
}
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name test.com www.test.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /auth/ {
proxy_pass http://x.x.x.x:9090/auth/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
#
#listen 443 ssl http2 default_server;
listen 443 ssl default_server;
#listen [::]:443 ssl http2 default_server; # does not work properly with Angular, TODO research about this
listen [::]:443 ssl default_server;
expires $expires;
include snippets/ssl-test.com.conf;
include snippets/ssl-params.conf;
}
每次访问 text.com 或 www.test.com 时都设置 ssl,它有 https。但是当我做 test.com:9090 时它说不安全。所以我尝试 IP:9090 ,但没有 https。
现在我每次去 IP:9090 都能看到 keycloak 的主页,但在我点击管理控制台后,我会收到 HTTPS - REQUIRED 错误。我在配置或设置 keycloak/ssl/nginx 配置中缺少什么?
主要关注这个setup nginx for production
编辑::
将位置 /auth/ 从第一个服务器块移动到第二个服务器块,它就可以工作了。认为这会有所帮助。
正确的结构
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name test.com www.test.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
#
#listen 443 ssl http2 default_server;
listen 443 ssl default_server;
#listen [::]:443 ssl http2 default_server; # does not work properly with Angular, TODO research about this
listen [::]:443 ssl default_server;
expires $expires;
location /auth/ {
proxy_pass http://x.x.x.x:9090/auth/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include snippets/ssl-test.com.conf;
include snippets/ssl-params.conf;
}
我是第一次使用 keycloak 进行生产。我在我的本地机器上 运行 keycloak,从未遇到过这个问题。首先,我使用 docker 到 运行 keycloak 服务器。 docker 图片来自 jboss/keycloak。我已经在我的域 test.com
letsEncrypt 设置了我的 SSL
在 运行 设置 docker 图像后,当我单击管理控制台时,我最终收到错误 HTTPS-REQUIRED。从 HERE HERE and HERE 阅读了很多相关内容后,我意识到我需要在我的域上使用 SSL,我确实这样做了。
我也在 docker 命令中传递了 PROXY_ADDRESS_FORWARDING=true。我就是这样运行的。
docker run -e KEYCLOAK_USER=temp -e KEYCLOAK_PASSWORD=temp -e PROXY_ADDRESS_FORWARDING=true -p 9090:8080 jboss/keycloak
我的 NGINX 服务器块看起来像
map $sent_http_content_type $expires {
default off;
text/html epoch; #means no cache, as it is not a static page
text/css max;
application/javascript max;
application/woff2 max;
~image/ 30d; #it is only the logo, so maybe I could change it once a month now
}
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name test.com www.test.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /auth/ {
proxy_pass http://x.x.x.x:9090/auth/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
#
#listen 443 ssl http2 default_server;
listen 443 ssl default_server;
#listen [::]:443 ssl http2 default_server; # does not work properly with Angular, TODO research about this
listen [::]:443 ssl default_server;
expires $expires;
include snippets/ssl-test.com.conf;
include snippets/ssl-params.conf;
}
每次访问 text.com 或 www.test.com 时都设置 ssl,它有 https。但是当我做 test.com:9090 时它说不安全。所以我尝试 IP:9090 ,但没有 https。
现在我每次去 IP:9090 都能看到 keycloak 的主页,但在我点击管理控制台后,我会收到 HTTPS - REQUIRED 错误。我在配置或设置 keycloak/ssl/nginx 配置中缺少什么?
主要关注这个setup nginx for production
编辑:: 将位置 /auth/ 从第一个服务器块移动到第二个服务器块,它就可以工作了。认为这会有所帮助。
正确的结构
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name test.com www.test.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
#
#listen 443 ssl http2 default_server;
listen 443 ssl default_server;
#listen [::]:443 ssl http2 default_server; # does not work properly with Angular, TODO research about this
listen [::]:443 ssl default_server;
expires $expires;
location /auth/ {
proxy_pass http://x.x.x.x:9090/auth/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include snippets/ssl-test.com.conf;
include snippets/ssl-params.conf;
}