反向代理背后的Keycloak混合了内部和外部地址

Question

我正在尝试使用 nginx 在反向代理后面设置一个 keycloak 实例，我几乎做到了。

我的（部分）docker-compose：

version: '3.4'                                                                          
                                                                                    
services:  
  [...]
                                                                                                                                                                                                                                                 
  keycloak:                                                                             
    image: jboss/keycloak                                                                                                                                     
    environment:                                                                        
      - DB_VENDOR=[vendor]
      - DB_USER=[user]                                                                      
      - DB_PASSWORD=[password]
      - DB_ADDR=[dbaddr]
      - DB_DATABASE=[dbname]
      - KEYCLOAK_USER=[adminuser]                                                         
      - KEYCLOAK_PASSWORD=[adminpassword]                                                       
      - KEYCLOAK_IMPORT=/tmp/my-realm.json                                           
      - KEYCLOAK_FRONTEND_URL=https://auth.mydomain.blah/auth                          
      - PROXY_ADDRESS_FORWARDING=true                                                   
      - REDIRECT_SOCKET=proxy-https
                                                 
  [...]

我的 nginxconf 只是

server {
    listen       443 ssl;
    server_name  auth.mydomain.blah;
  
    ssl_certificate /etc/letsencrypt/live/auth.mydomain.blah/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/auth.mydomain.blah/privkey.pem;

    location / {
        proxy_pass http://keycloak:8080;
    }
}

它有效，我可以访问 keycloakhttps://auth.mydomain.blah/auth 但当我查看时https://auth.mydomain.blah/auth/realms/campi/.well-known/openid-configuration我得到了这个：

{
  "issuer": "https://auth.mydomain.blah/auth/realms/campi",
  "authorization_endpoint": "https://auth.mydomain.blah/auth/realms/campi/protocol/openid-connect/auth",
  "token_endpoint": "http://keycloak:8080/auth/realms/campi/protocol/openid-connect/token",
  "introspection_endpoint": "http://keycloak:8080/auth/realms/campi/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://keycloak:8080/auth/realms/campi/protocol/openid-connect/userinfo",
  "end_session_endpoint": "https://auth.mydomain.blah/auth/realms/campi/protocol/openid-connect/logout",
  "jwks_uri": "http://keycloak:8080/auth/realms/campi/protocol/openid-connect/certs",
  "check_session_iframe": "https://auth.mydomain.blah/auth/realms/campi/protocol/openid-connect/login-status-iframe.html",
  [...]

为什么keycloak混合内部和外部uri？我缺少什么？

Answer 1

https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy

您的反向代理/nginx 未正确转发主机标头，因此 Keycloak 不知道请求使用了哪个主机/协议，并且它使用后端/内部主机名。您需要设置几proxy_set_header行：

server {
    listen       443 ssl;
    server_name  auth.mydomain.blah;
  
    ssl_certificate /etc/letsencrypt/live/auth.mydomain.blah/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/auth.mydomain.blah/privkey.pem;

    location / {
            proxy_pass          http://keycloak:8080;
            proxy_set_header    Host               $host;
            proxy_set_header    X-Real-IP          $remote_addr;
            proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Host   $host;
            proxy_set_header    X-Forwarded-Server $host;
            proxy_set_header    X-Forwarded-Port   $server_port;
            proxy_set_header    X-Forwarded-Proto  $scheme;
    }
}