Help with Enabling HTTPS for Keycloak Behind Nginx

645 views
Skip to first unread message

Eeshan Manja

unread,
Mar 4, 2025, 8:07:03 AM3/4/25
to Keycloak User

I’m running Keycloak in a Docker container and have set up an Nginx reverse proxy to make it accessible at docsbot.agency. My current setup allows access via HTTP, but I need to enable HTTPS using an SSL certificate I have for the domain.

Currently, I launch Keycloak with the following command:

sudo docker run -d -p 8000:8080 \

    -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \

    -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \

    quay.io/keycloak/keycloak:26.0.7 start-dev


My Nginx configuration is as follows:

server {

    listen 80;

    server_name docsbot.agency;


    location / {

        proxy_pass http://127.0.0.1:8000;

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-Forwarded-Proto $scheme;

    }

}


How can I modify my setup to correctly enable HTTPS? Should I configure Keycloak differently, or should I handle it entirely through Nginx?

Any guidance would be much appreciated!



Message has been deleted

Miguel C

unread,
Mar 5, 2025, 10:06:49 AM3/5/25
to Keycloak User
This seems to be more of a question for NGINX not Keycloak.

That said, you can still keep the same proxy pass rule and KC will still listen on 8080, the proxy(nginx) can terminate TLS, so you only need to make sure to change to prod 443 and setup the rest like certs (http://nginx.org/en/docs/http/configuring_https_servers.html).

That said on the keycloak side you do need to setup reverse  proxy headers, see:


You your case you are using "X-Forwarded-*" so in KC it should use "xforwarded" wither via "--proxy-headers" startup flag or "KC_PROXY_HEADERS" env var.

See: https://www.keycloak.org/server/all-config?q=proxy-headers

Tony Breeds

unread,
Mar 6, 2025, 5:13:27 PM3/6/25
to Keycloak User
Hi,
  I don't know about nginx ... or very much about keycloak either but I recently got it working where Apache terminates SSL and talks to Keycloak over http.


The important part of my apache virtual host is:
```
        AllowEncodedSlashes On
        SSLProxyEngine on
        SetEnv proxy-initial-not-pooled 1
        RequestHeader set "X-Forwarded-Port" expr=%{SERVER_PORT}
        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
        RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

        ProxyPass "/keycloak/" "http://192.168.2.5:8080/keycloak/" ttl=120 disablereuse=On retry=0
        ProxyPassReverse "/keycloak/" "http://192.168.2.5:8080/keycloak/"

```
 and then my compose file looks like:

```
  keycloak:
   .....
    environment:
      KC_HTTP_ENABLED: "true"
      KC_HOSTNAME: "My.host.name"
      KC_HOSTNAME_PORT: "9443"
      KC_HTTP_RELATIVE_PATH: "/keycloak/"
      KC_PROXY: edge
      KC_HOSTNAME_STRICT: "false"
      KC_PROXY_HEADERS: xforwarded
      KC_TRUSTED_PROXY_ADDRESSES: "192.168.2.1/24,127.0.0.1/8"
      KC_SPI_X509CERT_LOOKUP_APACHE_SSL_CLIENT_CERT: SSL_CLIENT_CERT
      KC_SPI_X509CERT_LOOKUP_APACHE_SSL_CERT_CHAIN_PREFIX: CERT_CHAIN
      KC_SPI_X509CERT_LOOKUP_APACHE_CERTIFICATE_CHAIN_LENGTH: 10
      KEYCLOAK_ADMIN: XXXX
      KEYCLOAK_ADMIN_PASSWORD: XXXX
      KC_HOSTNAME_DEBUG: "true"
      DB_VENDOR: h2```

I found that I needed the KC_HOSTNAME and KC_HOSTNAME_PORT variables to get various URLs correct.

If you haven't tried it yet https://My.host.name:9443/keycloak/realms/master/hostname-debug is super helpful for verifying your various settings are correct. 

It took me close to 2 days of trying to get it working so there are possibly things I have set that aren't needed.
Reply all
Reply to author
Forward
0 new messages