set keycloak behind reverse-proxy

felixevers · felixevers · commit f1c0543c8c34 · 2025-12-15T15:41:57.000+01:00
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -17,18 +17,18 @@ services:
       KC_DB_PASSWORD: "password"
 
       KC_HOSTNAME: "localhost"
-      KC_HOSTNAME_PORT: 8080
       KC_HOSTNAME_STRICT: false
+      KC_PROXY: edge
+      KC_HTTP_RELATIVE_PATH: /keycloak
+      KC_HTTP_ENABLED: true
 
       KEYCLOAK_ADMIN: "admin"
       KEYCLOAK_ADMIN_PASSWORD: "admin"
-    command: start-dev --import-realm
+    command: start --import-realm
     depends_on:
       - keycloak-postgres
     volumes:
       - "./keycloak:/opt/keycloak/data/import:ro"
-    ports:
-      - "8080:8080"
 
   postgres:
     image: postgres:15.15
@@ -45,6 +45,7 @@ services:
 
   backend:
     image: ghcr.io/helpwave/tasks-backend:latest
+    build: backend
     environment:
       DATABASE_HOSTNAME: "postgres"
       DATABASE_NAME: "postgres"
@@ -67,19 +68,24 @@ services:
   web:
     image: ghcr.io/helpwave/tasks-web:latest
     environment:
-      ISSUER_URI: "http://localhost:8080/realms/tasks"
-      CLIENT_ID: "tasks-web"
+      RUNTIME_ISSUER_URI: "http://localhost/keycloak/realms/tasks"
+      RUNTIME_REDIRECT_URI: "http://localhost/auth/callback"
+      RUNTIME_POST_LOGOUT_REDIRECT_URI: "http://localhost/"
+      RUNTIME_CLIENT_ID: "tasks-web"
     depends_on:
       - backend
 
   proxy:
     image: ghcr.io/helpwave/tasks-proxy:latest
+    build: proxy
     environment:
+      KEYCLOAK_HOST: keycloak:8080
       BACKEND_HOST: backend:80
       FRONTEND_HOST: web:80
     ports:
       - "80:80"
     depends_on:
+      - keycloak
       - backend
       - web
 
diff --git a/proxy/Dockerfile b/proxy/Dockerfile
@@ -4,4 +4,4 @@ COPY nginx.conf /etc/nginx/nginx.conf.template
 
 EXPOSE 80
 
-CMD ["/bin/sh", "-c", "envsubst '${FRONTEND_HOST} ${BACKEND_HOST}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"]
+CMD ["/bin/sh", "-c", "envsubst '${FRONTEND_HOST} ${BACKEND_HOST} ${KEYCLOAK_HOST}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"]
diff --git a/proxy/nginx.conf b/proxy/nginx.conf
@@ -14,6 +14,11 @@ http {
         server ${BACKEND_HOST};
     }
 
+    upstream keycloak_upstream {
+        server ${KEYCLOAK_HOST};
+    }
+
+
     server {
         listen 80;
         server_name localhost;
@@ -31,6 +36,17 @@ http {
             proxy_set_header Connection "upgrade";
         }
 
+        location /keycloak/ {
+            proxy_pass http://keycloak_upstream/keycloak/;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_http_version 1.1;
+        }
+
         location / {
             proxy_pass http://frontend_upstream;
 
diff --git a/simulator/.gitignore b/simulator/.gitignore
@@ -1,2 +1,3 @@
 .env
-
+.env*
+!.env.example

Original file line number	Diff line number	Diff line change
`@@ -4,4 +4,4 @@ COPY nginx.conf /etc/nginx/nginx.conf.template`
`4`	`4`
`5`	`5`	`EXPOSE 80`
`6`	`6`
`7`		`-CMD ["/bin/sh", "-c", "envsubst '${FRONTEND_HOST} ${BACKEND_HOST}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"]`
	`7`	`+CMD ["/bin/sh", "-c", "envsubst '${FRONTEND_HOST} ${BACKEND_HOST} ${KEYCLOAK_HOST}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"]`
-Original file line number
+Diff line change
@@ @@ -1,2 +1,3 @@ @@
 .env
+-
 +.env*
 +!.env.example