Keycloak behind Traefik reverse proxy: Mixed Content error and HTTP/HTTPS mismatch in Docker Compose setup [closed]

Context

I’m building a production-ready backend for a mobile app. For deployment, I’m using Docker Compose, and Traefik as a reverse proxy / TLS-termination layer. I own a domain and manage several subdomains (e.g. api.example.com, auth.example.com, grafana.example.com). The whole stack is deployed on a single VPS.

I use Keycloak as my identity manager. The mobile app communicates with my API (on api.example.com), and the API in turn interacts with Keycloak for operations such as login, registration, health-checks, etc. For managing reasons, I’d like Keycloak to also be accessible via auth.example.com (i.e. via Traefik, over HTTPS). Internally, Keycloak receives proxied HTTP traffic (because Traefik terminates TLS).

However, the Keycloak admin UI and some resource requests fail due to mixed-content or CSP issues. The browser console shows errors like:

Mixed Content: The page at 'https://auth.example.com/admin/master/console/' was loaded over HTTPS, but requested an insecure resource 'http://auth.example.com/resources/master/admin/en'. This request has been blocked; the content must be served over HTTPS.keycloak.js:57 Refused to frame 'http://auth.example.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".

I have set the following environment / Keycloak flags in Docker Compose:

prod-keycloak:  image: quay.io/keycloak/keycloak:26.2  environment:    KC_HOSTNAME: auth.example.com    KC_PROXY: edge    KC_HTTP_ENABLED: "true"    KC_HOSTNAME_STRICT: "false"    KC_HOSTNAME_STRICT_BACKCHANNEL: "false"    KC_PROXY_ADDRESS_FORWARDING: "true"  command:    ["start", "--http-port", "7080"]  labels:    - traefik.enable=true    - traefik.http.routers.prod-keycloak.rule=Host(`auth.example.com`)    - traefik.http.routers.prod-keycloak.entrypoints=websecure    - traefik.http.routers.prod-keycloak.tls.certresolver=letsencrypt    - traefik.http.services.prod-keycloak.loadbalancer.server.port=7080

Based on this answer from another similar question; I removed the KC_HOSTNAME_PORT configuration. Maybe for me it is different as I don't use the default 8080 port? (Nevertheless, I also already tried with just the default port and it did not work as well.)

This is my traefik configuration in the compose file:

  prod-traefik:    image: traefik:v3.4    command: --configFile=/etc/traefik/config.yml    restart: unless-stopped    expose:      - "8080"    ports:      - "80:80"      - "443:443"    volumes:      - /var/run/docker.sock:/var/run/docker.sock      - ./traefik/config.yml:/etc/traefik/config.yml:ro      - ./traefik/certs/letsencrypt-acme.json:/var/traefik/certs/letsencrypt-acme.json    networks:      - prod-backend-network

This is the static traefik configuration defined in config.yml:

global:  checkNewVersion: false  sendAnonymousUsage: falselog:  level: INFOapi:  dashboard: trueentryPoints:  web:    address: :80    http:      redirections:        entryPoint:          to: websecure          scheme: https  websecure:    address: :443providers:  docker:    endpoint: "unix:///var/run/docker.sock"    exposedByDefault: false############################ SECURITY#########################certificatesResolvers:  letsencrypt:    acme:      email: "example@email.com"      storage: "/var/traefik/certs/letsencrypt-acme.json"      tlsChallenge: true

Yet when I access https://auth.example.com, the address in the address bar gets resolved to https://auth.example.com/admin/master/console/ and I end up with the mixed content / CSP errors. The Keycloak UI fails to load fully. At first there is a spinning bar and after that I see this error panel that just states "somethingWentWrong" for the title and description:

"somethingWentWrong" Keycloak error panel with no meaning

What I Already Tried

• I enabled KC_PROXY=“edge” and KC_PROXY_ADDRESS_FORWARDING=“true” to allow forwarding headers.
• I disabled strict hostname checking via KC_HOSTNAME_STRICT: "false".
• I exposed only the HTTP port inside Keycloak and rely on Traefik to handle TLS.
• I verified DNS and that Traefik is routing requests correctly to the Keycloak container.
• I looked in the keycloak and traefik logs, but there are no hints for any of the named problems.

My questions

Main Question: Why is Keycloak generating internal URLs (or resources) with http:// rather than https://, and how can I force it to emit secure URLs behind a TLS-terminating proxy?

• Are there additional Keycloak settings (or container flags) I did not used yet?
• Do I have to properly configure X-Forwarded-Proto / Forwarded headers myself? (so Keycloak knows the original request was HTTPS; I thought that this is done automatically when using the KC_PROXY=“edge” header)

Broader operations questions (just skip if too off-topic)

1. How do teams typically manage multiple environments (dev, staging, prod)? Is Docker Compose still a viable choice, or should I use Kubernetes, Docker Swarm, or other orchestration?
2. For a self-hosted VPS environment, what tools help with server management, monitoring, scaling (e.g. when adding more servers)?
3. What are good strategies for backups (e.g. database snapshots, full container backups) in a setup like this?