我正在尝试让Keycloak 3.4.3.Final docker容器运行。我可以通过http加载容器,然后立即显示https所需的消息。
所以我使用具有以下配置的nginx设置了代理传递
events {
worker_connections 4096; ## Default: 1024
}
http {
upstream keycloak-stream {
server keycloak:8080;
}
server {
listen 443;
server_name localhost redacted.com *.redacted.com;
autoindex off;
location / {
proxy_ssl_server_name on;
proxy_pass https://keycloak-stream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
ssl on;
ssl_certificate /run/secrets/fullchain.pem;
ssl_certificate_key /run/secrets/privkey.pem;
ssl_dhparam /run/secrets/dhparam.pem;
}
}
我设置了以下环境:
PROXY_ADDRESS_FORWARDING=true
我似乎收到以下错误:
nginx_1 | 2018/03/27 21:48:30 [error] 7#7: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 172.1.0.1, server: localhost, request: "GET /auth/ HTTP/1.1", upstream: "https://172.1.0.3:8080/auth/", host: "localhost.redacted.com"
我需要修改什么才能让keycloak接受来自nginx的https连接?
答案 0 :(得分:1)
我会关注实际错误:
ssl3_get_record:wrong version number
这意味着客户端/服务器SSL记录中的版本不匹配。 所以例如客户端发送SSL2 client_hello握手 消息和对应项仅配置为SSL3 / TLS1。