Keycloak正在将反向代理与nginx配置一起使用,以在ssl(https)中可用。现在,我已经在ubuntu中部署了.net核心应用程序。该应用程序位于http中,并且使用keycloak作为openid connect进行身份验证。
[但是,当使用nginx将应用托管在https中时,keycloak显示的是无效的重定向URL,而不是登录页面。Keycloak登录URL页面包含带有http而不是https的redirect_uri参数。请帮忙解决在Nginx中的配置文件中完成了反向代理的配置服务器{
听443 ssl;
服务器名称abc.ctech.com;
ssl_certificate /etc/nginx/external/wildcard_ctech_com.pem;
ssl_certificate_key /etc/nginx/external/private.rsa;
位置/ {
proxy_http_version 1.1;
proxy_set_header主机abc.ctech.com;
proxy_set_header X-Real-IP $ remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
proxy_pass http://172.30.5.28:8001;
}
}
服务器{
听443 ssl;
server_name keycloak.ctech.com;
ssl_certificate /etc/nginx/external/wildcard_ctech_com.pem;
ssl_certificate_key /etc/nginx/external/private.rsa;
位置= / {
返回301 https://keycloak.ctech.com/auth;}
位置/ auth {
proxy_pass http://172.30.5.28:8080/auth;
proxy_http_version 1.1;
proxy_set_header主机keycloak.ctech.com;
proxy_set_header X-Real-IP $ remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
}
}
我相信您还必须添加一个侦听端口80(http)的服务器块,该服务器块将永久(301)重定向返回到同一服务器的端口443(https)版本。
类似于以下内容...(并且适用于两个地方)
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
因此,您需要在两个地方都添加永久重定向,用您的实际服务器名称替换(当然)example.com。
让我们知道,谢谢。
您需要将通行证代理到https://keycloak_address:8443/auth;。确保已打开该端口。下面的代码为我工作。
server {
listen 80;
server_name example.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
server_name example.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /auth {
proxy_pass https://keycloak_address:8443/auth;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
我认为问题在于KEYCLOAK文件配置。您应该在http_listener:
中添加以下参数<http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/>
也添加socket-binding-group:
<socket-binding name="proxy-https" port="443"/>