英文:
deploying keycloak generated by JHipster on linux behind nginx resulting in https error "Mixed Content: The page at"
问题
我正在使用jhipster生成器,在生成应用程序之后,这是我的keycloak.yml文件:
version: '3.8'
services:
keycloak:
image: quay.io/keycloak/keycloak:19.0.1
command: ['start-dev --import-realm --http-relative-path=/auth']
volumes:
- ./realm-config:/opt/keycloak/data/import
# - /etc/ssl/certs:/etc/x509/certs
# - /etc/ssl/certs:/e
# - /etc/ssl/certs/auth-website.crt:/etc/ssl/certs
# - /etc/ssl/private:/etc/ssl/private
environment:
- KC_DB=dev-file
- KEYCLOAK_ADMIN=xxxxx
- KEYCLOAK_ADMIN_PASSWORD=xxxxx
- KC_FEATURES=scripts
- KC_HTTP_PORT=9080
- KC_HTTPS_PORT=9443
# - KC_HOSTNAME=auth.website.com
# - KEYCLOAK_FRONTEND_URL=https://auth.website.com/auth
# - PROXY_ADDRESS_FORWARDING=true
# - KC_HTTPS_CERTIFICATE_FILE=/etc/ssl/certs/auth-website.crt
# - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/ssl/private/auth-website.key
# - KC_HTTPS_CERTIFICATE_FILE=/etc/ssl/certs/auth-website.crt
# - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/ssl/private/auth-website.key
# 如果要在开发计算机之外公开这些端口,请删除“127.0.0.1:”前缀
ports:
- 9080:9080
- 9443:9443
我的nginx文件如下:
server {
server_name auth.website.com;
return 301 https://auth.website.com$request_uri;
}
server {
# listen 443 ssl http2;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/website.crt;
ssl_certificate_key /etc/ssl/private/website.key;
add_header Content-Security-Policy "frame-src 'self' http://auth.website>;
server_name auth.website.com www.auth.website.com;
index index.html index.htm;
access_log /var/log/nginx/auth-website.log;
error_log /var/log/nginx/auth-website-error.log error;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_pass http://website_ip_address:9080;
proxy_redirect off;
}
location /auth {
proxy_pass http://localhost:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
当我尝试访问https://auth.website.com/auth/时,一切都按预期运行,但对于URL https://auth.website.com/auth/admin/master/console/ 的管理控制台,我得到的页面始终显示“加载管理控制台”和控制台错误:
拒绝加载'http://auth.website.com/',因为它违反了以下内容安全策略指令:"frame-src 'self'"。
我认为Keycloak正在尝试使用HTTP加载某些内容而不是HTTPS。我在这一点上陷入了困境。
我已经尝试了很多更改sites-available文件和keycloak.yml,但都没有解决问题。
英文:
I am using jhipster generator, after generating the application this is my keycloak.yml file:
version: '3.8'
services:
keycloak:
image: quay.io/keycloak/keycloak:19.0.1
command: ['start-dev --import-realm --http-relative-path=/auth']
volumes:
- ./realm-config:/opt/keycloak/data/import
# - /etc/ssl/certs:/etc/x509/certs
# - /etc/ssl/certs:/e
# - /etc/ssl/certs/auth-website.crt:/etc/ssl/certs
# - /etc/ssl/private:/etc/ssl/private
environment:
- KC_DB=dev-file
- KEYCLOAK_ADMIN=xxxxx
- KEYCLOAK_ADMIN_PASSWORD=xxxxx
- KC_FEATURES=scripts
- KC_HTTP_PORT=9080
- KC_HTTPS_PORT=9443
# - KC_HOSTNAME=auth.website.com
# - KEYCLOAK_FRONTEND_URL=https://auth.website.com/auth
# - PROXY_ADDRESS_FORWARDING=true
# - KC_HTTPS_CERTIFICATE_FILE=/etc/ssl/certs/auth-website.crt
# - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/ssl/private/auth-website.key
# - KC_HTTPS_CERTIFICATE_FILE=/etc/ssl/certs/auth-website.crt
# - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/ssl/private/auth-website.key
# If you want to expose these ports outside your dev PC,
# remove the "127.0.0.1:" prefix
ports:
- 9080:9080
- 9443:9443
My nginx file for this is:
server {
server_name auth.website.com;
return 301 https://auth.website.com$request_uri;
}
server {
# listen 443 ssl http2;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/website.crt;
ssl_certificate_key /etc/ssl/private/website.key;
add_header Content-Security-Policy "frame-src 'self' http://auth.website>
server_name auth.website.com www.auth.website.com;
index index.html index.htm;
access_log /var/log/nginx/auth-website.log;
error_log /var/log/nginx/auth-website-error.log error;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_pass http://website_ip_address:9080;
proxy_redirect off;
}
location /auth {
proxy_pass http://localhost:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
`
when I try to access https://auth.website.com/auth/ every thing run as expected, but for the admin console at url https://auth.website.com/auth/admin/master/console/, I am getting a page that is always showing "Loading the admin console" and a console error:
Refused to frame 'http://auth.website.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".
I think keycloak is trying to load something using http instead of https. I am stuck at this point.
I have tried a lot of changes to the sites-available file and to keycloak.yml, but none fixed the problem.
答案1
得分: 1
请将 KC_PROXY: edge 添加到 Keycloak Docker 容器的环境变量中。如果您在代理后面运行 Keycloak,这是必需的。
您可以在此处找到更多关于此的文档:https://www.keycloak.org/server/reverseproxy
英文:
Please add KC_PROXY: edge to the environment variables of the keycloak docker container. That is needed, if you run keycloak behind a proxy.
You can find more documentation about this here: https://www.keycloak.org/server/reverseproxy
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论