'Configure reverse-proxy for Keycloak docker with custom base URL

How can I set the docker keycloak base url as parameter ?

I have the following nginx reverse proxy configuration:

server {
    listen 80;
    server_name example.com;

    location /keycloak {
        proxy_pass http://example.com:8087/;
    }
}

When I try to access http://example.com/keycloak/ I got a keycloak http redirect to http://example.com/auth/ instead of http://example.com/keycloak/auth/

Any ideas?

Solution 1:^[1]

The redirect from /keycloak to /keycloak/auth isn't working. The redirect route in index.html and Base-URL is missing the /keycloak part. I had to add this:

FROM jboss/keycloak:latest

USER jboss

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e 's/name="\/"/name="\/keycloak\/"/' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/\/auth/\/keycloak\/auth/' $JBOSS_HOME/welcome-content/index.html
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' $JBOSS_HOME/domain/configuration/domain.xml

Solution 2:^[2]

Building on @Francois Maturel's response: for the latest Keycloak (currently 4.8.x), I had to add an additional line to replace the web-context in standalone-ha.xml as well:

FROM jboss/keycloak:latest
USER jboss
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
RUN sed -i -e 's/\/auth/\/keycloak\/auth/' /opt/jboss/keycloak/welcome-content/index.html

The reason is that the docker-entrypoint.sh startup script will use standalone-ha.xml configuration in addition to standalone.xml unless the -c flag is passed. See here: https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/docker-entrypoint.sh

Solution 3:^[3]

i can also confirm that when using docker image keycloak 6.0.1 standalone-ha.xml file also needs to be changed using the sed command...

RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone.xml
RUN sed -i -e 's/<web-context>auth<\/web-context>/<web-context>keycloak\/auth<\/web-context>/' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml

Solution 4:^[4]

In my case, I have an existing Keycloak (v8.0.1) on Docker, so I had to update the database as well.

Launch Keycloak Docker container with the following environment variable:

PROXY_ADDRESS_FORWARDING: 'true'
Update the database. I'm using Postgres.

psql -U keycloak -d keycloak

update realm set ssl_required='NONE';
Restart Keycloak

Example for Postgres DB, by Sairam Krish

Solution 5:^[5]

In Keycloak 18.x you can't use web-context anymore.

There is now a new argument http-relative-path, which contains the path relative to '/'.

CLI: --http-relative-path

Env: KC_HTTP_RELATIVE_PATH

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	ntg
Solution 2	ntg
Solution 3	Prageeth Athulathmudali
Solution 4	Carlo Ledesma
Solution 5	Dennis Meissel

'Configure reverse-proxy for Keycloak docker with custom base URL

Solution 1:[1]

Solution 2:[2]

Solution 3:[3]

Solution 4:[4]

Solution 5:[5]