nginx - keycloak 将 url 重定向到 http 而不是 https
问题描述
我在 SSL 终止 nginx 代理后面有一个 keycloak 设置。当我尝试访问使用 keycloak 保护的应用程序时,keycloak 会生成如下所示的 url:
https://keycloak.mydomain.com/auth/realms/AdfsDemo/protocol/openid-connect/auth?client_id=adfs&redirect_uri=http%3A%2F%2Fmyapp.mydomain.com%2Fsignin-oidc&response_type=code&scope=openid%20profile&response_mode=form_post&nonce=636603226928179925.MmUzYWEzMGYtNTAxOS00MTBkLTk4MWItMDU3MGY1NjAxOGViNzlhYmZiMDQtNTQyOC00Y2YzLTk2MjMtZjNjMWFjNTI1YzM3&state=CfDJ8NQosUp9FsZBgifUu0XsVAEasSeKTitMPUM5yatTiQGf_Kz_X9CpQNPIHOkGr1hsgdErjhbw4ULINvCJgnFdWYctcIuhoyhOTt2Km3xy0qFh4o9gNFkPQlbEqc771MmVC2FUqUtvDqf8zChsyDDfGkxZ6Kc1y36I_3lFfzfubBAyXK0cEb_3AdZBMyDRp2WMykrarD8Z-0iGBk_q5Z8akYYHyCc7q-FSKxP1DW59nHpF8fM6P-S8SdVxvTW2dtEyV9UL6rlqD8dabNNJxhoaXEeBzwRh84it2vVlaaYpQ7d1ErZ51hpuzhG2gYSxnowMdQa8gfd8X1hs5HsgJXL-gCmBgTlxWNQfAy5DRpcX8Wi0&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
我可以在 https 上访问 keycloak 就好了。但是当我尝试访问使用 keycloak 保护的应用程序时,您会注意到 keycloak 生成的 redirect_uri 是 http 而不是 https。
这是我的nginx配置
server {
listen 443 ssl;
server_name myapp.mydomain.com;
ssl_certificate /etc/nginx/external/wildcard_mydomain_com.pem;
ssl_certificate_key /etc/nginx/external/private.rsa;
location / {
proxy_set_header Host myapp.mydomain.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.30.5.28:8001;
}
}
#Keycloak Service
server {
listen 443 ssl;
server_name keycloak.mydomain.com;
ssl_certificate /etc/nginx/external/wildcard_mydomain_com.pem;
ssl_certificate_key /etc/nginx/external/private.rsa;
location = / {
return 301 https://keycloak.mydomain.com/auth;
}
location /auth {
proxy_pass http://172.30.5.28:8080;
proxy_set_header Host keycloak.mydomain.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
任何帮助是极大的赞赏。
谢谢,拉胡尔
解决方案
KeyCloak docker遇到了同样的问题,我解决了如下,
nginx配置,
location /auth {
resolver 127.0.0.11 ipv6=off valid=5s;
set $upstream "http://identity-service:8080";
proxy_pass $upstream;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_connect_timeout 3000;
proxy_send_timeout 3000;
proxy_read_timeout 3000;
send_timeout 3000;
client_max_body_size 5120m;
}
docker -compose 文件,将PROXY_ADDRESS_FORWARDING设置为 true
environment:
KEYCLOAK_USER:
KEYCLOAK_PASSWORD:
KEYCLOAK_FRONTEND_URL:
PROXY_ADDRESS_FORWARDING: "true"
DB_VENDOR:
DB_ADDR:
DB_PORT:
DB_DATABASE:
DB_USER:
DB_PASSWORD:
- 通过删除KEYCLOAK_FRONTEND_URL,您也可以禁用 KeyCloak 前端。
推荐阅读
- c# - Compiler.cs 报告 Dafny 3.0.0 中已验证程序的错误
- android - AAPT:错误:找不到资源 android:attr/android:progressBarStyle
- javascript - 在括号之间声明一个 javascript 对象以仅选择与其索引对应的元素
- reactjs - 为什么 react 函数组件在初始渲染时会执行两次内部代码?
- go - 如何将匿名结构作为函数参数传递
- amazon-web-services - Elastic Beanstalk 部署在 AppDeployPreHook/12_update_permissions.sh 失败
- rust - 我可以以某种方式修改“&”数组吗?
- excel - ruby/caxlsx:如何定义不同的周围单元格的边框样式?
- ios - SwiftUI 预览不适用于自定义库
- visual-studio - 在 .Net Core 5 Web API 中将连接字符串更改为 MySql 数据库并在 VS Debug 模式下运行,直到第二次 API 重新启动后才会生效