将Keycloak与Nginx反向代理一起使用会导致502 bad gateway错误

问题描述 投票:0回答:1

我对 Keycloak 和 Nginx 都很陌生。我正在尝试将 Keycloak 部署为我网站上 

/keycloak
下的路线。但是,我收到 502 bad gateway 的错误。

我的nginx配置如下(我用

mywebsite
替换了我的实际网站的名称)。

设置

server {
    server_name mywebsite.com www.mywebsite.com;

    location /.well-known/acme-challenge/ {
        root /var/www/letsencrypt;
    }

    location / {
        root /var/www/mywebsite/cba-frontend/dist;
        try_files $uri $uri/ /index.html;
    }

    location /keycloak/ {  
        proxy_pass http://localhost:8080; 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Prefix /keycloak;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.mywebsite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = mywebsite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name mywebsite.com www.mywebsite.com;
    return 404; # managed by Certbot
}

然后,我为 Keycloak 创建了一个 docker 文件:

FROM quay.io/keycloak/keycloak:latest as builder

ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/
WORKDIR /opt/keycloak

ENV KC_HOSTNAME=mywebsite.com
ENV KC_PROXY=edge
ENV KC_HTTP_RELATIVE_PATH=/keycloak

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

最后,我有一个 docker compose 文件将所有这些放在一起

version: '3.8'

services:
  keycloak:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: custom-keycloak
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_HOSTNAME=mywebsite.com
      - KC_PROXY=edge
      - KC_HTTP_RELATIVE_PATH=/keycloak
    volumes:
      - keycloak_data:/opt/keycloak/data
    networks:
      - keycloak-network

networks:
  keycloak-network:
    driver: bridge

volumes:
  keycloak_data:

问题

当我转到

https://www.mywebsite.com/keycloak/
时,它会抛出 502 Bad Gateway with Nginx 的错误。

Nginx 错误日志显示以下错误(客户端 IP 并非全为零 - 我这样做只是为了显示目的):

2024/05/23 16:32:34 [error] 101198#101198: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 00.00.000.00, server: mywebsite.com, request: "GET /keycloak/ HTTP/1.1", upstream: "http://127.0.0.1:8080/keycloak/", host: "www.mywebsite.com"

我的 keycloak 没有显示任何明显的错误

2024-05-23 16:16:20,064 WARN  [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
        - proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-05-23 16:16:21,699 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: mywebsite.com, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-05-23 16:16:22,888 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-05-23 16:16:23,496 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
2024-05-23 16:16:23,859 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2024-05-23 16:16:23,882 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 45137773-0601-447c-9194-18d2540e72f8, name: e60985799b73-886
2024-05-23 16:16:23,934 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-05-23 16:16:23,934 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
2024-05-23 16:16:23,934 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-05-23 16:16:23,935 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
2024-05-23 16:16:23,986 INFO  [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.36638
2024-05-23 16:16:26,024 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) e60985799b73-886: no members discovered after 2024 ms: creating cluster as coordinator
2024-05-23 16:16:26,067 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [e60985799b73-886|0] (1) [e60985799b73-886]
2024-05-23 16:16:26,138 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `e60985799b73-886`, physical addresses are `[172.27.0.2:52174]`
2024-05-23 16:16:26,188 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-05-23 16:16:27,979 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-05-23 16:16:29,949 WARN  [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-05-23 16:16:30,471 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: e60985799b73-886, Site name: null
2024-05-23 16:16:30,475 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-05-23 16:16:32,724 INFO  [io.quarkus] (main) Keycloak 24.0.4 on JVM (powered by Quarkus 3.8.4) started in 14.131s. Listening on: http://0.0.0.0:8080
2024-05-23 16:16:32,727 INFO  [io.quarkus] (main) Profile prod activated.
2024-05-23 16:16:32,727 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, vertx]

如何正确配置我的keycloak以适用于Nginx反向代理?我想我已经很接近了,但是某个标头不正确并且连接被拒绝。 

sudo docker ps
显示容器正在运行,桥接器也在运行:

fea3c118df24   bridge                           bridge    local
8df754b5793d   cadaskeycloak_keycloak-network   bridge    local
7707e0966816   host                             host      local
117517046e9d   none                             null      local
docker nginx docker-compose keycloak reverse-proxy
1个回答
0
投票

也许这可以解决问题,像这样调整dockerfile:

ENV KC_PROXY=edge
ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_HOSTNAME_URl=https://mywebsite.com
ENV KC_HOSTNAME_PATH=/keycloak
ENV KC_HOSTNAME_ADMIN_URL=https://mywebsite.com
ENV KC_FRONT_END_URL=https://mywebsite.com
ENV KC_HTTP_RELATIVE_PATH=/keycloak
ENV KC_HTTP_ENABLED=true
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.