deploying keycloak generated by JHipster on linux behind nginx resulting in https error "Mixed Content: The page at"

huangapple go评论86阅读模式
英文:

deploying keycloak generated by JHipster on linux behind nginx resulting in https error "Mixed Content: The page at"

问题

我正在使用jhipster生成器,在生成应用程序之后,这是我的keycloak.yml文件:

version: '3.8'
services:
  keycloak:
    image: quay.io/keycloak/keycloak:19.0.1
    command: ['start-dev --import-realm --http-relative-path=/auth']
    volumes:
      - ./realm-config:/opt/keycloak/data/import
 #     - /etc/ssl/certs:/etc/x509/certs
#      - /etc/ssl/certs:/e
#      - /etc/ssl/certs/auth-website.crt:/etc/ssl/certs
#      - /etc/ssl/private:/etc/ssl/private
    environment:
      - KC_DB=dev-file
      - KEYCLOAK_ADMIN=xxxxx
      - KEYCLOAK_ADMIN_PASSWORD=xxxxx
      - KC_FEATURES=scripts
      - KC_HTTP_PORT=9080
      - KC_HTTPS_PORT=9443
#      - KC_HOSTNAME=auth.website.com
#      - KEYCLOAK_FRONTEND_URL=https://auth.website.com/auth
#      - PROXY_ADDRESS_FORWARDING=true
#      - KC_HTTPS_CERTIFICATE_FILE=/etc/ssl/certs/auth-website.crt
#      - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/ssl/private/auth-website.key
#      - KC_HTTPS_CERTIFICATE_FILE=/etc/ssl/certs/auth-website.crt
#      - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/ssl/private/auth-website.key
    # 如果要在开发计算机之外公开这些端口,请删除“127.0.0.1:”前缀
    ports:
      - 9080:9080
      - 9443:9443

我的nginx文件如下:

server {
    server_name auth.website.com;
    return 301 https://auth.website.com$request_uri;
}
server {

#    listen 443 ssl http2;
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/website.crt;
    ssl_certificate_key /etc/ssl/private/website.key;
    add_header Content-Security-Policy "frame-src 'self' http://auth.website>;

    server_name auth.website.com www.auth.website.com;
    index index.html index.htm;
    access_log /var/log/nginx/auth-website.log;
    error_log  /var/log/nginx/auth-website-error.log error;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_buffer_size   128k;
        proxy_buffers   4 256k;
        proxy_busy_buffers_size   256k;
        proxy_pass http://website_ip_address:9080;
        proxy_redirect off;
    }

    location /auth {
        proxy_pass http://localhost:9080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

当我尝试访问https://auth.website.com/auth/时,一切都按预期运行,但对于URL https://auth.website.com/auth/admin/master/console/ 的管理控制台,我得到的页面始终显示“加载管理控制台”和控制台错误:
拒绝加载'http://auth.website.com/',因为它违反了以下内容安全策略指令:"frame-src 'self'"。

我认为Keycloak正在尝试使用HTTP加载某些内容而不是HTTPS。我在这一点上陷入了困境。

我已经尝试了很多更改sites-available文件和keycloak.yml,但都没有解决问题。

英文:

I am using jhipster generator, after generating the application this is my keycloak.yml file:

version: '3.8'
services:
  keycloak:
    image: quay.io/keycloak/keycloak:19.0.1
    command: ['start-dev --import-realm --http-relative-path=/auth']
    volumes:
      - ./realm-config:/opt/keycloak/data/import
 #     - /etc/ssl/certs:/etc/x509/certs
#      - /etc/ssl/certs:/e
#      - /etc/ssl/certs/auth-website.crt:/etc/ssl/certs
#      - /etc/ssl/private:/etc/ssl/private
    environment:
      - KC_DB=dev-file
      - KEYCLOAK_ADMIN=xxxxx
      - KEYCLOAK_ADMIN_PASSWORD=xxxxx
      - KC_FEATURES=scripts
      - KC_HTTP_PORT=9080
      - KC_HTTPS_PORT=9443
#      - KC_HOSTNAME=auth.website.com
#      - KEYCLOAK_FRONTEND_URL=https://auth.website.com/auth
#      - PROXY_ADDRESS_FORWARDING=true
#      - KC_HTTPS_CERTIFICATE_FILE=/etc/ssl/certs/auth-website.crt
#      - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/ssl/private/auth-website.key
#      - KC_HTTPS_CERTIFICATE_FILE=/etc/ssl/certs/auth-website.crt
#      - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/ssl/private/auth-website.key
    # If you want to expose these ports outside your dev PC,
    # remove the "127.0.0.1:" prefix
    ports:
      - 9080:9080
      - 9443:9443

My nginx file for this is:

server {
    server_name auth.website.com;
    return 301 https://auth.website.com$request_uri;
}
server {

#    listen 443 ssl http2;
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/website.crt;
    ssl_certificate_key /etc/ssl/private/website.key;
    add_header Content-Security-Policy "frame-src 'self' http://auth.website>

    server_name auth.website.com www.auth.website.com;
    index index.html index.htm;
    access_log /var/log/nginx/auth-website.log;
    error_log  /var/log/nginx/auth-website-error.log error;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_buffer_size   128k;
        proxy_buffers   4 256k;
        proxy_busy_buffers_size   256k;
        proxy_pass http://website_ip_address:9080;
        proxy_redirect off;
    }

    location /auth {
        proxy_pass http://localhost:9080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

`
when I try to access https://auth.website.com/auth/ every thing run as expected, but for the admin console at url https://auth.website.com/auth/admin/master/console/, I am getting a page that is always showing "Loading the admin console" and a console error:
Refused to frame 'http://auth.website.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".

I think keycloak is trying to load something using http instead of https. I am stuck at this point.

I have tried a lot of changes to the sites-available file and to keycloak.yml, but none fixed the problem.

答案1

得分: 1

请将 KC_PROXY: edge 添加到 Keycloak Docker 容器的环境变量中。如果您在代理后面运行 Keycloak,这是必需的。

您可以在此处找到更多关于此的文档:https://www.keycloak.org/server/reverseproxy

英文:

Please add KC_PROXY: edge to the environment variables of the keycloak docker container. That is needed, if you run keycloak behind a proxy.

You can find more documentation about this here: https://www.keycloak.org/server/reverseproxy

huangapple
  • 本文由 发表于 2023年7月18日 04:05:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/76707758.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定