Skip to main content

Using Nginx as proxy server for Keycloak

I have used Keycloak in its very early stage ( when it is was in 2.x version). But now it has come a long way (at this time of writing it is in 21.x)

In this article let's configure Keycloak behind Nginx. Here are the points to consider.

 If you want to configure Apache2 as a proxy server for your java application, please check this article.

  1. We are going to use a domain name other than localhost
  2. Anything other than localhost will require Keycloak to run in production mode which requires SSL configurations etc.
  3. Or it requires a proxy server.
Lets begin.

Requirements

  • Keycloak distribution
  • Ubuntu 22.04 server

Configuring Keycloak

1. Download Keycloak from here.
2. Extract it using tar -xvzf keycloak-21.0.1.tar.gz
3. Create a script file called keycloak.sh with the following contents
#!/bin/bash
export KEYCLOAK_ADMIN=<admin-username-here>
export KEYCLOAK_ADMIN_PASSWORD=<admin-password-here>

nohup keycloak-21.0.0/bin/kc.sh start-dev --proxy edge  --hostname-strict=false --hostname=auth.mydomain.com &
4. Start the server with sh keycloak.sh

Configure Nginx and certbot

Certbot is needed to procure and install the ssl certificates.

1. Install nginx
sudo apt-get update
sudo apt-get install nginx
2. Check the status of nginx server. 
systemctl status nginx
3. If it is not started, restart it
sudo systemctl restart nginx
4. Create a site file under /etc/nginx/sites-available/mysite with the following content.
server {
    server_name    auth.mydomain.com;

    root /var/www/html;
    index index.html;

    access_log /var/log/nginx/mydomain-access.log;
    error_log /var/log/nginx/mydomain-error.log;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://127.0.0.1:8080;
        
        # the following headers are needed, if your application uses redirection flow to authenticate with Keycloak.
        # replace localhost:8084 with the application server url
        add_header Content-Security-Policy "frame-src *; frame-ancestors *; object-src *;";
        add_header Access-Control-Allow-Origin 'http://localhost:8084'; 
        add_header Access-Control-Allow-Credentials true;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/auth.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/auth.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
5. Enable the site using sudo ln -s /etc/nginx/sites-available/mysite /etc/nginx/sites-enabled/mysite
6. Comment the following lines and restart nginx.
#ssl_certificate /etc/letsencrypt/live/auth.primebyte.in/fullchain.pem; # managed by Certbot
#ssl_certificate_key /etc/letsencrypt/live/auth.primebyte.in/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
7. Install the certificates
sudo certbot --nginx
Follow the instructions to compelte the SSL certificate generation and installation
8. Uncomment the following lines and restart nginx
ssl_certificate /etc/letsencrypt/live/auth.primebyte.in/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/auth.primebyte.in/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

voila! Your auth server is available at https://auth.mydomain.com

If you see that admin page is throwing error and observe the following in the logs, it is due the buffer memory issues.

2023/03/02 10:20:20 [error] 1747#1747: *160 upstream sent too big header while reading response header from upstream...

It can be fixed by add the following lines under http section of /etc/nginx/nginx.conf.
http {
  ...
    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;
}
Restart nginx.
Labels:

Comments

  1. InfaticaJuly 21, 2024 at 7:58 PM

    Using Nginx as a proxy server for Keycloak is a smart choice for enhancing security and performance. It efficiently handles authentication flows, improving user experience and simplifying access management. Your guide on configuring Nginx to proxy requests to Keycloak is clear and practical, making it accessible even for those new to server setups. This setup not only ensures seamless integration but also boosts the reliability and scalability of applications relying on Keycloak for identity and access management.

    ReplyDelete

Post a Comment

Popular posts from this blog

Installing GoDaddy certificate in Wildfly/Keycloak

In the previous post we saw how to set up Keycloak . Here we will see how to generate and install GoDaddy.com certificate in Keycloak. The steps are similar for Wildfly as well. Step 1: Generate CSR file Run the following commands in your terminal. <mydomain.com> has to be replaced with your actual domain name. keytool -genkey -alias mydomain_com -keyalg RSA -keysize 2048 -keystore mydomain_com.jks keytool -certreq -alias mydomain_com -file mydomain_com.csr -keystore mydomain_com.jks Step 2: Generate certificate Upload  mydomain_com . csr  file content into GoDaddy.com, generate and download certificate for tomcat server (steps to generating SSL certificate is beyond the scope of this article). If you unzip the file, you will see the following files. gd_bundle-g2-g1.crt ..5f8c...3a89.crt   #some file with alphanumeric name gdig2.crt Files 1 and 2 are of our interest. Third file is not required. Step 3: Import certificate to key...
3 comments
Read more

Hibernate & Postgresql

If you are using Hibernate 3.5 or above to talk to Postgresql database, have you ever tried to store a byte array? Let's take an example. Here is the mapping which will store and read byte[] from the database. @Lob @Column(name = "image") private byte[] image; Here is the JPA mapping file configuration. <persistence version="2.0"  xmlns="http://java.sun.com/xml/ns/persistence"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">   <persistence-unit name="testPU" transaction-type="JTA">     <provider>org.hibernate.ejb.HibernatePersistence</provider>     <jta-data-source>test</jta-data-source>     <properties>     </properties>   </persistence-unit> </persistence> When you try to save your entity you will get t...
Post a Comment
Read more

Dynamic SOAP Service Client

If you have written SOAP service client, you might know that you need the WSDL file; need to generate Java code for that,compile that Java classes and add it as dependency for your module. What would you do if you have to incorporate your code with a new SOAP service every now and then? What would you do if all you need is to consume the service and do a little processing on the output, i.e., you need the data in XML format? What would you do if you don't have a complete WSDL? What would you do if your service is in .NET whose WSDL is having problem while generating Java classes? Is there a way to write a dynamic client which can consume any SOAP service? .... YES!... there is a way. Let's quickly write a web (SOAP) service. Software used: Java 7 NetBeans IDE 7.4 GlassFish 4.0 Maven Create a web project and choose Glassfish as server. Now add web service (not a rest service) as below. Edit the SimpleService.java as follows. package com.mycom...
Post a Comment
Read more

How to retry a method call in Spring or Quarkus?

Have you ever come across a situation where you wanted to retry a method invocation automatically? Let's say you are calling a stock ticker service for a given stock and get a transient error. Since it is a transient error, you will try again and it may work in second attempt. But what if it doesn't? Well, you will try third time. But how many times can you try like that? More importantly after how much time will you retry? Imagine if you have a handful of methods like this. Your code will become convoluted with retry logic. Is there a better way? Well, if you are using spring/spring boot, you are in luck. Here is how you can do that using spring. Let's write our business service as follows. import java.time.LocalDateTime; import java.util.concurrent.CompletableFuture; import lombok.extern.slf4j.Slf4j; import org.springframework.retry.annotation.Backoff; import org.springframework.retry.annotation.Retryable; import org.springframework.scheduling.annotation.Async; import...
Post a Comment
Read more