如何让nginx处理keycloak的https
How to get nginx to handle https for keycloak
我正在尝试让 Keycloak 3.4.3.Final docker 容器工作。我可以通过 http 加载容器,并且会立即显示 https 要求消息。
所以我使用具有以下配置的 nginx 设置了代理通道
events {
worker_connections 4096; ## Default: 1024
}
http {
upstream keycloak-stream {
server keycloak:8080;
}
server {
listen 443;
server_name localhost redacted.com *.redacted.com;
autoindex off;
location / {
proxy_ssl_server_name on;
proxy_pass https://keycloak-stream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
ssl on;
ssl_certificate /run/secrets/fullchain.pem;
ssl_certificate_key /run/secrets/privkey.pem;
ssl_dhparam /run/secrets/dhparam.pem;
}
}
我设置了以下环境:
PROXY_ADDRESS_FORWARDING=true
我似乎遇到了以下错误:
nginx_1 | 2018/03/27 21:48:30 [error] 7#7: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 172.1.0.1, server: localhost, request: "GET /auth/ HTTP/1.1", upstream: "https://172.1.0.3:8080/auth/", host: "localhost.redacted.com"
我需要修改什么才能让 keycloak 接受来自 nginx 的 https 连接?
我会关注实际错误:
ssl3_get_record:wrong version number
这意味着 client/server SSL 记录中的版本不匹配。
所以例如客户端发送 SSL2 client_hello 握手
消息和对方仅为 SSL3/TLS1.
配置
我正在尝试让 Keycloak 3.4.3.Final docker 容器工作。我可以通过 http 加载容器,并且会立即显示 https 要求消息。
所以我使用具有以下配置的 nginx 设置了代理通道
events {
worker_connections 4096; ## Default: 1024
}
http {
upstream keycloak-stream {
server keycloak:8080;
}
server {
listen 443;
server_name localhost redacted.com *.redacted.com;
autoindex off;
location / {
proxy_ssl_server_name on;
proxy_pass https://keycloak-stream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
ssl on;
ssl_certificate /run/secrets/fullchain.pem;
ssl_certificate_key /run/secrets/privkey.pem;
ssl_dhparam /run/secrets/dhparam.pem;
}
}
我设置了以下环境:
PROXY_ADDRESS_FORWARDING=true
我似乎遇到了以下错误:
nginx_1 | 2018/03/27 21:48:30 [error] 7#7: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 172.1.0.1, server: localhost, request: "GET /auth/ HTTP/1.1", upstream: "https://172.1.0.3:8080/auth/", host: "localhost.redacted.com"
我需要修改什么才能让 keycloak 接受来自 nginx 的 https 连接?
我会关注实际错误:
ssl3_get_record:wrong version number
这意味着 client/server SSL 记录中的版本不匹配。 所以例如客户端发送 SSL2 client_hello 握手 消息和对方仅为 SSL3/TLS1.
配置