使用nginx的Keycloak重定向网址将转换为http而不是https

时间:2018-04-03 12:02:16

标签: nginx jboss

Keycloak使用带有nginx配置的反向代理在ssl(https)中可用。 现在我在ubuntu中部署了.net核心应用程序。 此应用程序在http中,并使用keycloak作为openid connect进行身份验证。

但是,当使用nginx在https中托管应用程序时,keycloak显示无效的重定向URL而不是登录页面。  Keycloak登录URL页面包含带有http而不是https的redirect_uri参数。请帮忙解决 在nginx中的配置文件中为反向代理完成配置 服务器{

听443 ssl;

server_name abc.ctech.com;

ssl_certificate /etc/nginx/external/wildcard_ctech_com.pem;

ssl_certificate_key /etc/nginx/external/private.rsa;

location / {

proxy_http_version 1.1;

proxy_set_header主持人abc.ctech.com;

proxy_set_header X-Real-IP $ remote_addr;

proxy_set_header X-Forwarded-Proto https;

proxy_set_header X-Forwarded-Port 443;

proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;

proxy_pass http://172.30.5.28:8001;

}

}

Keycloak服务

服务器{

听443 ssl;

server_name keycloak.ctech.com;

ssl_certificate /etc/nginx/external/wildcard_ctech_com.pem;

ssl_certificate_key /etc/nginx/external/private.rsa;

location = / {

返回301 https://keycloak.ctech.com/auth; }

location / auth {

proxy_pass http://172.30.5.28:8080/auth;

proxy_http_version 1.1;

proxy_set_header主机keycloak.ctech.com;

proxy_set_header X-Real-IP $ remote_addr;

proxy_set_header X-Forwarded-Proto https;

proxy_set_header X-Forwarded-Port 443;

proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;

}

}

5 个答案:

答案 0 :(得分:1)

我认为问题是KEYCLOAK文件配置。您应该在 http_listener 中添加以下参数:

<http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/>

并添加 socket绑定组 

<socket-binding name="proxy-https" port="443"/>

答案 1 :(得分:0)

我相信您还必须添加一个侦听端口80(http)的服务器块,该服务器块将永久(301)重定向返回到同一服务器的端口443(https)版本。.

类似以下内容...(两个地方都适用)

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

因此,您需要在两个地方都添加一个永久重定向,用您的实际服务器名称替换(当然) example.com

让我们知道,谢谢。

答案 2 :(得分:0)

您需要将通行证代理到https://keycloak_address:8443/auth;。确保已打开该端口。下面的代码为我工作。 

server {
    listen 80;
    server_name example.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name example.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


    location /auth {
                proxy_pass  https://keycloak_address:8443/auth;
                proxy_set_header    Host                $http_host;
                proxy_set_header    X-Real-IP           $remote_addr;
                proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

答案 3 :(得分:0)

我一直在使用docker swarm模式下的集群密钥库进行战斗很长时间了。 Ubunter's answer与文档中的内容相同,但是这样做仍然无法解决我的问题。

要使其与当前的jboss/keycloak:latest码头工人映像(:9.0.3)配合使用,我要做的就是使用环境变量 KEYCLOAK_FRONTEND_URL

在添加该内容之前,它仍然会向主要的/auth/js/keycloak.js?version=czy98 JavaScript发出HTTP URL:

...
    <!-- Libraries not managed by yarn -->
    <script src="/auth/resources/czy98/admin/keycloak/lib/angular/ui-bootstrap-tpls-0.11.0.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/angular/treeview/angular.treeview.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/fileupload/angular-file-upload.min.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/filesaver/FileSaver.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/ui-ace/min/ace.js"></script>
    <script src="/auth/resources/czy98/admin/keycloak/lib/ui-ace/ui-ace.min.js"></script>

    <script src="http://my.server.name.here/auth/js/keycloak.js?version=czy98" type="text/javascript"
></script>

    <script src="/auth/resources/czy98/admin/keycloak/js/app.js" type="text/javascript"></script>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/realm.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/clients.js" type="text/javascript"></s
cript>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/users.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/groups.js" type="text/javascript"></sc
ript>
    <script src="/auth/resources/czy98/admin/keycloak/js/controllers/roles.js" type="text/javascript"></scr
ipt>
    <script src="/auth/resources/czy98/admin/keycloak/js/loaders.js" type="text/javascript"></script>
    <script src="/auth/resources/czy98/admin/keycloak/js/services.js" type="text/javascript"></script>
...

它也在嵌入式javascript中生成了http:

    <script type="text/javascript">
        var authServerUrl = 'http://my.server.name.here/auth';
        var authUrl = 'http://my.server.name.here/auth';
        var consoleBaseUrl = '/auth/admin/master/console/';
        var resourceUrl = '/auth/resources/czy98/admin/keycloak';
        var masterRealm = 'master';
        var resourceVersion = 'czy98';
    </script>

尽管X-Forwarded-Proto: https和其他standalone-ha.xml必需的东西

答案 4 :(得分:0)

对于使用jwilder/nginx-proxy的用户,只需让反向代理处理https并添加即可即可

  - PROXY_ADDRESS_FORWARDING=true
  - VIRTUAL_HOST= /**domain or subdomain**/
  - VIRTUAL_PORT=8080

到您的密钥斗篷环境参数

相关问题
最新问题