Configure reverse-proxy for Keycloak docker with custom base URL
Building on @Francois Maturel's response: for the latest Keycloak (currently 4.8.x), I had to add an additional line to replace the web-context in standalone-ha.xml as well:
FROM jboss/keycloak:latest
USER jboss
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/\/auth/\/keycloak\/auth/' /opt/jboss/keycloak/welcome-content/index.html
The reason is that the docker-entrypoint.sh startup script will use standalone-ha.xml configuration in addition to standalone.xml unless the -c flag is passed. See here: https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/docker-entrypoint.sh
Just tested that @home, and actually multiple configuration additions are needed:
1/ Run the keycloak container with env -e PROXY_ADDRESS_FORWARDING=true as explained in the docs, this is required in a proxy way of accessing to keycloak:
docker run -it --rm -p 8087:8080 --name keycloak -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:latest
Also explained in this SO question
2/ Change the web-context inside keycloak's configuration file $JBOSS_HOME/standalone/configuration/standalone.xml
Default keycloak configuration points to auth
<web-context>auth</web-context>
Then you could change it to keycloak/auth
<web-context>keycloak/auth</web-context>
If you need to automate this for docker, just create a new keycloak image :
FROM jboss/keycloak:latest
USER jboss
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml
3/ Add some proxy information to nginx configuration (mostly for http / https handling)
location /keycloak {
proxy_pass http://example.com:8087;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
If you are proxying requests from nginx to keycloak on same server, I recommend using proxy_pass http://localhost:8087;, and if not try to use a private network to avoid proxying through external web requests.
Hope this helps
The redirect from /keycloak to /keycloak/auth isn't working.
The redirect route in index.html and Base-URL is missing the /keycloak part.
I had to add this:
FROM jboss/keycloak:latest
USER jboss
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/\/auth/\/keycloak\/auth/' $JBOSS_HOME/welcome-content/index.html
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/domain/configuration/domain.xml
In Keycloak 18.x you can't use web-context anymore.
There is now a new argument http-relative-path, which contains the path relative to '/'.
CLI: --http-relative-path
Env: KC_HTTP_RELATIVE_PATH