您如何正确地将NGINX配置为Keycloak前面的代理?
以doc的形式进行询问和回答,因为我现在不得不重复做一次,过了一会儿就忘记了细节。
这是专门针对Keycloak位于反向代理(例如nginx)和NGINX正在终止SSL并推送到Keycloak的情况的。这与keycloak无效参数(重定向参数)不同,尽管它会产生相同的错误消息。
关键在于文档位于 https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses
在proxy-address-forwarding必须设置以及各种X-...头。
如果您正在使用https://hub.docker.com/r/jboss/keycloak/中的Docker映像,请设置环境。arg -e PROXY_ADDRESS_FORWARDING=true。
server {
server_name api.domain.com;
location /auth {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080;
proxy_read_timeout 90;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8081;
proxy_read_timeout 90;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/api.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/api.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = api.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name api.domain.com;
listen 80;
return 404; # managed by Certbot
}
如果您使用的是其他代理,则其中的重要部分是要设置的标头:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
Apache,ISTIO和其他人有自己的设置方式。