Keycloak docker HTTPS-REQUIRED with nginx ssl
Posted
技术标签:
【中文标题】Keycloak docker HTTPS-REQUIRED with nginx ssl【英文标题】: 【发布时间】:2018-05-03 05:35:30 【问题描述】:我第一次使用keycloak 进行生产。我在本地机器上运行 keycloak 并且从未遇到过这个问题。首先,我使用 docker 来运行 keycloak 服务器。 docker 镜像是从jboss/keycloak 拉取的。我已经在我的域test.com 上使用letsEncrypt 设置了我的SSL
运行 docker 映像后,当我单击管理控制台时,我最终收到错误 HTTPS-REQUIRED。从HERE HERE 和HERE 阅读了很多关于此的内容后,我意识到我需要在我的域上使用 SSL,我确实这样做了。
我还在 docker 命令中传递了PROXY_ADDRESS_FORWARDING=true。这就是我运行它的方式。
docker run -e KEYCLOAK_USER=temp -e KEYCLOAK_PASSWORD=temp -e PROXY_ADDRESS_FORWARDING=true -p 9090:8080 jboss/keycloak
我的 nginx 服务器块看起来像
map $sent_http_content_type $expires
default off;
text/html epoch; #means no cache, as it is not a static page
text/css max;
application/javascript max;
application/woff2 max;
~image/ 30d; #it is only the logo, so maybe I could change it once a month now
server
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name test.com www.test.com;
location /
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
location /auth/
proxy_pass http://x.x.x.x:9090/auth/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
return 301 https://$server_name$request_uri;
server
# SSL configuration
#
#listen 443 ssl http2 default_server;
listen 443 ssl default_server;
#listen [::]:443 ssl http2 default_server; # does not work properly with Angular, TODO research about this
listen [::]:443 ssl default_server;
expires $expires;
include snippets/ssl-test.com.conf;
include snippets/ssl-params.conf;
通过设置 ssl 每次我去 text.com 或 www.test.com 它都有 https。但是当我做 test.com:9090 时,它说不安全。所以我尝试了IP:9090,它可以工作但没有https。
现在每次访问 IP:9090 时,我都可以看到 keycloak 的主页,但是在单击管理控制台后,我会收到 HTTPS - REQUIRED 错误。我的配置或设置 keycloak/ssl/nginx 配置中缺少什么?
大部分都关注这个setup nginx for production
编辑:: 将位置 /auth/ 从第一个服务器块移动到第二个服务器块,它可以工作。认为这会有所帮助。
【问题讨论】:
您可以回答自己的问题。这会将您的问题标记为已回答,并为您提供声誉积分作为奖励。 【参考方案1】:结构正确
server
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name test.com www.test.com;
location /
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
return 301 https://$server_name$request_uri;
server
# SSL configuration
#
#listen 443 ssl http2 default_server;
listen 443 ssl default_server;
#listen [::]:443 ssl http2 default_server; # does not work properly with Angular, TODO research about this
listen [::]:443 ssl default_server;
expires $expires;
location /auth/
proxy_pass http://x.x.x.x:9090/auth/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
include snippets/ssl-test.com.conf;
include snippets/ssl-params.conf;
【讨论】:
我得到 404,你确定它有效吗?我应该用本地主机或域名替换x.x.x.x...?以上是关于Keycloak docker HTTPS-REQUIRED with nginx ssl的主要内容,如果未能解决你的问题,请参考以下文章
使用 docker [MySQL] 运行 keycloak 时出错
使用 docker-compose 时导入 keycloak 配置文件
dockerized 环境中的 Keycloak 和 Spring Boot Web 应用程序