Reverse proxy in front dcm4chee and keycloak

67 views

Skip to first unread message

TI Central de Laudos

unread,

Feb 7, 2025, 9:39:57 AMFeb 7

to dcm...@googlegroups.com

Hi,

I configured a docker-compose that deploy dcm4chee (with mysql db instead of pgsql) and keycloak correctly and i can access the archive normally using my external ip address and port and it shows me the login and password page.

But when I change my config to work with a nginx reverse proxy in front I received a "redirect_uri" error. I follow the instructions in https://github.com/dcm4che/dcm4chee-arc-light/wiki/Reverse-Proxy-in-front-of-Keycloak-and-Archive, but without success.

Here is my docker-compose.yml config for keycloak and dcm4chee:

keycloak:
image: dcm4che/keycloak:26.0.6
logging:
driver: json-file
options:
max-size: "10m"
ports:
- "8843:8843"
- "9843:9843"
environment:
KC_HTTPS_PORT: 8843
# Reverse proxy config
KC_PROXY: passthrough
KC_HOSTNAME: https://auth-docker.meudominio.com.br
KC_HOSTNAME_PORT: 443
KC_HTTP_RELATIVE_PATH: '/'
ARCHIVE_HOST: dicom-docker.meudominio.com.br
ARCHIVE_HTTPS_PORT: 443
# End reverse proxy config
KC_HOSTNAME_BACKCHANNEL_DYNAMIC: 'true'
KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADM_USER}
KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADM_PASS}
KC_DB: mysql
KC_DB_URL_DATABASE: ${KEYCLOAK_DB_NAME}
KC_DB_URL_HOST: ${MYSQL_HOST}
KC_DB_USERNAME: ${KEYCLOAK_DB_USER}
KC_DB_PASSWORD: ${KEYCLOAK_DB_PASS}
KC_LOG: file
KC_LOG_LEVEL: DEBUG
KEYCLOAK_WAIT_FOR: ldap:389 mysql:3306
depends_on:
- ldap
- mysql
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /var/local/dcm4chee-arc/keycloak:/opt/keycloak/data

arc:
image: dcm4chee-arc-mysql-secure-ui:5.33.1
ports:
- "8080:8080"
- "8443:8443"
- "9990:9990"
- "9993:9993"
- "11112:11112"
- "2762:2762"
- "2575:2575"
- "12575:12575"
environment:
MYSQL_DB: ${PACS_DB_NAME}
MYSQL_HOST: ${MYSQL_HOST}
MYSQL_USER: ${PACS_DB_USER}
MYSQL_PASSWORD: ${PACS_DB_PASS}
MYSQL_JDBC_PARAMS: "serverTimezone=America/Sao_Paulo"
AUTH_SERVER_URL: https://keycloak:8843
WILDFLY_CHOWN: /storage
# Reverse proxy config
UI_AUTH_SERVER_URL: https://auth-docker.meudominio.com.br
HTTP_PROXY_ADDRESS_FORWARDING: true
REDIRECT_HTTPS_PORT: 443
# End reverse proxy config
WILDFLY_WAIT_FOR: ldap:389 mysql:3306 keycloak:8843
depends_on:
- ldap
- keycloak
- mysql
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone
- /var/local/dcm4chee-arc/storage:/storage

My nginx.conf for dcm4chee is:

server {
listen 443 ssl;
server_name dicom-docker.meudominio.com.br;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
proxy_pass https://arc:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

For keycloak is the same conf adjusting only de server_name and proxy_pass.

Someone can help? I want that the archive and keycloak could be accessible by the domain names without exposing the 8443 and 8843 ports.

Best regards!

TI CTL

unread,

Feb 21, 2025, 1:28:04 PMFeb 21

to dcm4che

Hi all,

With this config and enviroments variables set to arc and keycloak containers everything works fine.

keycloak:
image: dcm4che/keycloak:26.0.6
container_name: keycloak

logging:
driver: json-file
options:
max-size: "10m"
ports:
- "8843:8843"
- "9843:9843"
environment:

KC_PROXY: passthrough
KC_HTTPS_PORT: 8843

KC_HOSTNAME: https://auth-docker.meudominio.com.br
KC_HOSTNAME_PORT: 443

KC_HOSTNAME_BACKCHANNEL_DYNAMIC: 'true'
KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADM_USER}
KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADM_PASS}
KC_DB: mysql
KC_DB_URL_DATABASE: ${KEYCLOAK_DB_NAME}
KC_DB_URL_HOST: ${MYSQL_HOST}
KC_DB_USERNAME: ${KEYCLOAK_DB_USER}
KC_DB_PASSWORD: ${KEYCLOAK_DB_PASS}
KC_LOG: file

ARCHIVE_HOST: dicom-docker.meudominio.com.br
LDAP_ROOTPASS: ${LDAP_ROOTPASS}

KEYCLOAK_WAIT_FOR: ldap:389 mysql:3306
depends_on:
- ldap
- mysql
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /var/local/dcm4chee-arc/keycloak:/opt/keycloak/data

- /var/local/dcm4chee-arc/quarkus:/opt/keycloak/lib/quarkus

arc:
image: dcm4chee-arc-mysql-secure-ui:5.33.1
container_name: dcm4chee

ports:
- "8080:8080"
- "8443:8443"
- "9990:9990"
- "9993:9993"
- "11112:11112"
- "2762:2762"
- "2575:2575"
- "12575:12575"
environment:
MYSQL_DB: ${PACS_DB_NAME}
MYSQL_HOST: ${MYSQL_HOST}
MYSQL_USER: ${PACS_DB_USER}
MYSQL_PASSWORD: ${PACS_DB_PASS}
MYSQL_JDBC_PARAMS: "serverTimezone=America/Sao_Paulo"
AUTH_SERVER_URL: https://keycloak:8843

UI_AUTH_SERVER_URL: https://auth-docker.meudominio.com.br
LDAP_ROOTPASS: ${LDAP_ROOTPASS}
HTTP_PROXY_ADDRESS_FORWARDING: true

WILDFLY_WAIT_FOR: ldap:389 mysql:3306 keycloak:8843
depends_on:
- ldap

- mysql
- keycloak

volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone

After the containeres running, goes to https://auth-docker.meudominio.com.br (my Keycloak login setup page) and login. In Clients, select dcm4chee-arc-ui an remove :port inserted in "valid redirect url", "Home URL" and "Root URL", this info is the guilty for de "We are sorry... Invalid parameter: redirect_uri" message.

The :port inserted in "valid redirect url", "Home URL" and "Root URL" comes from ARCHIVE_HTTP_PORT and ARCHIVE_HTTPS_PORT environment variables and if this variables are not set the defaults are 8080 and 8443. There is no way to set these variable to null, so we have to remove the ports manually in Keycloak Setup page.