so I have a problem getting keycloak 3.2.1 to work behind kong (0.10.3), a reverse proxy based on nginx.
Scenario is:
I call keycloak via my gateway-route via https://{gateway}/auth and it shows me the entrypoint with keycloak logo, link to admin console etc. - so far so good.
But when clicking on administration console -> calling https://{gateway}/auth/admin/master/console/ , keycloak tries to load its css/js via http (see screenie below), which my browser blocks because mixed content.
I searched around and found this thread: keycloak apache server configuration with 'Mixed Content' problems which lead to this github repo: https://github.com/dukecon/keycloak_postgres_https
From there on, I tried to integrate its' cli into my dockerfile with success (did not change the files' contents, just copied them into my repo and add/run them from dockerfile). This is my dockerfile right now:
FROM jboss/keycloak-postgres:3.2.1.FinalUSER rootADD config.sh /tmp/ADD batch.cli /tmp/RUN bash /tmp/config.sh#Give correct permissions when used in an OpenShift environment.RUN chown -R jboss:0 $JBOSS_HOME/standalone && \ chmod -R g+rw $JBOSS_HOME/standaloneUSER jbossEXPOSE 8080Sadly, my problem still exists:
So I am out of ideas for now and hope you could help me out:
How do I tell keycloak to call its' css-files via https here?
do I have to change something in the cli script?
Here's the content of the script:
config.sh:
#!/bin/bash -xset -eJBOSS_HOME=/opt/jboss/keycloakJBOSS_CLI=$JBOSS_HOME/bin/jboss-cli.shJBOSS_MODE=${1:-"standalone"}JBOSS_CONFIG=${2:-"$JBOSS_MODE.xml"}echo "==> Executing..."cd /tmp$JBOSS_CLI --file=`dirname "$0"`/batch.cli# cf. http://stackoverflow.com/questions/34494022/permissions-error-when-using-cli-in-jboss-wildfly-and-docker/bin/rm -rf ${JBOSS_HOME}/${JBOSS_MODE}/configuration/${JBOSS_MODE}_xml_history/currentand batch.cli:
embed-server --std-out=echo# http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html# 3.2.7.2. Enable SSL on a Reverse Proxy# First add proxy-address-forwarding and redirect-socket to the http-listener element.# Then add a new socket-binding element to the socket-binding-group element.batch/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)run-batchstop-embedded-serverIt may be of interest too, that kong is deployed on openshift with a route using a redirect from http to https ( "insecureEdgeTerminationPolicy": "Redirect" ).