在反向代理后面使用Keycloak:由于内容混合，无法打开管理员登录页面 [英] Using Keycloak behind a reverse proxy: Could not open Admin loginpage because mixed Content

问题描述

所以我在使密钥斗篷3.2.1落后于kong(0.10.3)(基于nginx的反向代理)之后工作时遇到问题.

so I have a problem getting keycloak 3.2.1 to work behind kong (0.10.3), a reverse proxy based on nginx.

场景是:

我通过我的网关路由通过https://{gateway}/auth调用keycloak，它向我显示了带有keycloak徽标的入口点，指向管理控制台的链接等.-到目前为止，一切都很好.

I call keycloak via my gateway-route via https://{gateway}/auth and it shows me the entrypoint with keycloak logo, link to admin console etc. - so far so good.

但是，当单击管理控制台->调用https://{gateway}/auth/admin/master/console/时，keycloak尝试通过http(请参见下面的screenie)加载其css/js，我的浏览器由于内容混合而阻止了它.

But when clicking on administration console -> calling https://{gateway}/auth/admin/master/console/ , keycloak tries to load its css/js via http (see screenie below), which my browser blocks because mixed content.

我到处搜索并找到以下线程: keycloak apache服务器配置与导致此github回购的混合内容"问题: https://github.com/dukecon/keycloak_postgres_https

I searched around and found this thread: keycloak apache server configuration with 'Mixed Content' problems which lead to this github repo: https://github.com/dukecon/keycloak_postgres_https

从那以后，我尝试成功将其cli集成到我的dockerfile中(没有更改文件的内容，只是将它们复制到我的repo中并从dockerfile中添加/运行它们).这是我现在的dockerfile:

From there on, I tried to integrate its' cli into my dockerfile with success (did not change the files' contents, just copied them into my repo and add/run them from dockerfile). This is my dockerfile right now:

FROM jboss/keycloak-postgres:3.2.1.Final

USER root

ADD config.sh /tmp/
ADD batch.cli /tmp/

RUN bash /tmp/config.sh

#Give correct permissions when used in an OpenShift environment.
RUN chown -R jboss:0 $JBOSS_HOME/standalone && \
    chmod -R g+rw $JBOSS_HOME/standalone

USER jboss
EXPOSE 8080

可悲的是，我的问题仍然存在:

Sadly, my problem still exists:

所以我暂时没有主意，希望您能帮帮我:

So I am out of ideas for now and hope you could help me out:

• 如何在这里通过https告诉keycloak调用其css文件?

• How do I tell keycloak to call its' css-files via https here?

我是否需要在cli脚本中更改某些内容?

do I have to change something in the cli script?

这是脚本的内容:

config.sh:

config.sh:

#!/bin/bash -x

set -e

JBOSS_HOME=/opt/jboss/keycloak
JBOSS_CLI=$JBOSS_HOME/bin/jboss-cli.sh
JBOSS_MODE=${1:-"standalone"}
JBOSS_CONFIG=${2:-"$JBOSS_MODE.xml"}

echo "==> Executing..."
cd /tmp

$JBOSS_CLI --file=`dirname "$0"`/batch.cli

# cf. http://stackoverflow.com/questions/34494022/permissions-error-when-using-cli-in-jboss-wildfly-and-docker
/bin/rm -rf ${JBOSS_HOME}/${JBOSS_MODE}/configuration/${JBOSS_MODE}_xml_history/current

和batch.cli:

and batch.cli:

embed-server --std-out=echo

# http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html
# 3.2.7.2. Enable SSL on a Reverse Proxy
# First add proxy-address-forwarding and redirect-socket to the http-listener element.
# Then add a new socket-binding element to the socket-binding-group element.

batch

/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)

/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)

/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)

run-batch

stop-embedded-server

也可能会感兴趣，将kong部署在openshift上，并且使用从http到https的重定向("insecureEdgeTerminationPolicy":"Redirect").

It may be of interest too, that kong is deployed on openshift with a route using a redirect from http to https ( "insecureEdgeTerminationPolicy": "Redirect" ).

推荐答案

这听起来有点像在 nginx 中设置请求标头X-Forwarded-For和X-Forwarded-Proto.然后，您必须配置Keycloak(Wildfly，Undertow)与SSL终止反向代理(也称为负载平衡器)一起使用.请参见 http://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy 进行详细说明.

Set the request headers X-Forwarded-For and X-Forwarded-Proto in nginx. Then you have to configure Keycloak (Wildfly, Undertow) to work together with the SSL terminating reverse proxy (aka load balancer). See http://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy for a detailed description.

关键是 nginx 正在终止SSL，并将请求作为纯 http 转发给 Keycloak .因此，必须告知 Keycloak/Wildfly ，必须像处理 https 一样处理来自 nginx 的传入 http 请求.

The point is that nginx is terminating SSL and is forwarding the requests to Keycloak as pure http. Therefore Keycloak/Wildfly must be told that the incoming http requests from nginx must be handled like they were https.

这篇关于在反向代理后面使用Keycloak:由于内容混合，无法打开管理员登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！