Search code examples
dockerdocker-composeproxykeycloaktraefik

I do not get Keycloak working in docker behind Traefik

I have a domain example.org.

I have docker running there with Traefik as proxy. Now I want to setup Keycloak. I want to access Keycloak on auth.example.org. This is my config (docker-compose):

    keycloak:
        image: quay.io/keycloak/keycloak
        restart: always
        command: start
        environment:
            KC_PROXY_ADDRESS_FORWARDING: true
            KC_HOSTNAME_STRICT: false
            KC_HOSTNAME: auth.example.org
            KC_HOSTNAME_PORT: 443
            KC_HTTP_ENABLED: true
            KC_DB: postgres
            KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak?ssl=allow
            KC_DB_USERNAME: root
            KC_DB_PASSWORD: password
            KEYCLOAK_ADMIN: admin
            KEYCLOAK_ADMIN_PASSWORD: password
        labels:
            - "traefik.http.routers.cloud-network-keycloak.rule=Host(`auth.example.org`)"
            - "traefik.http.routers.cloud-network-keycloak.entrypoints=websecure"
            - "traefik.http.routers.cloud-network-keycloak.tls.certresolver=letsencryptresolver"
            - "traefik.http.routers.cloud-network-keycloak.tls=true"
            - "traefik.http.services.cloud-network-keycloak.loadbalancer.server.port=8080"
        depends_on:
            postgres:
                condition: service_healthy
        networks:
            - internal
            - traefik

However, loading the Keycloak admin console on https://auth.example.org/admin/master/console/ throws an error in the browser:

URL: https://auth.example.org/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console&origin=https%3A%2F%2Fauth.example.org Status: 403

I have no clue ... how to resolve this?

Solution

  • In order to get Keycloak responding properly on port 443, I need to remove the KC_HOSTNAME_PORT configuration, leaving me with:

    version: "3"

services:
  traefik:
    image: docker.io/traefik
    command:
      - --api.insecure=true
      - --providers.docker
      - --entrypoints.web.address=:80
      - --entrypoints.web-secure.address=:443
    ports:
      - "127.0.0.1:8080:8080"
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  keycloak:
    image: quay.io/keycloak/keycloak
    restart: always
    command: start
    environment:
      KC_PROXY_ADDRESS_FORWARDING: "true"
      KC_HOSTNAME_STRICT: "false"
      KC_HOSTNAME: auth.example.com
      KC_PROXY: edge
      KC_HTTP_ENABLED: "true"
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres:5432/$POSTGRES_DB?ssl=allow
      KC_DB_USERNAME: $POSTGRES_USER
      KC_DB_PASSWORD: $POSTGRES_PASSWORD
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: password
    labels:
      - "traefik.http.routers.cloud-network-keycloak.rule=Host(`auth.example.com`)"
      - "traefik.http.routers.cloud-network-keycloak.tls=true"
      - "traefik.http.services.cloud-network-keycloak.loadbalancer.server.port=8080"

  postgres:
    image: docker.io/postgres:14
    environment:
      POSTGRES_USER: $POSTGRES_USER
      POSTGRES_PASSWORD: $POSTGRES_PASSWORD
      POSTGRES_DB: $POSTGRES_DB

    This works for me without errors when I connect to it as https://auth.example.com. If I re-introduce the KC_HOSTNAME_PORT setting, I get the same "infinite spinning wheel" that you reported in your question.