如何正确配置NGINX作为Keycloak前面的代理?
作为文档询问和回答这个问题,因为我现在不得不重复这样做,并且在一段时间后忘记了细节。
这是专门处理 Keycloak 位于反向代理后面的情况,例如nginx 和 NGINX 正在终止 SSL 并推送到 Keycloak。这与以下问题不是同一个问题keycloak 无效参数:redirect_uri https://stackoverflow.com/questions/45352880/keycloak-invalid-parameter-redirect-uri尽管它会产生相同的错误消息。
关键在于文档中https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses
The proxy-address-forwarding必须设置以及各种X-...标头。
如果您使用的是来自https://hub.docker.com/r/jboss/keycloak/ https://hub.docker.com/r/jboss/keycloak/然后设置环境。精氨酸-e PROXY_ADDRESS_FORWARDING=true.
server {
server_name api.domain.com;
location /auth {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080;
proxy_read_timeout 90;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8081;
proxy_read_timeout 90;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/api.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/api.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = api.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name api.domain.com;
listen 80;
return 404; # managed by Certbot
}
如果您使用其他代理,则其中重要的部分是正在设置的标头:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
Apache、ISTIO 和其他公司都有自己的设置方法。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
