two identical keycloak servers + nginx as reverse proxy

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

two identical keycloak servers + nginx as reverse proxy

Gregory Edigarov
Hello,

Can somebody enlighten me please?

i have two identical keycloak servers running in HA mode via DNS
discovery keycloak1.my.domain & keycloak2.my.domain

the dns discovery record is: keycloak.my.domain

this part is working no questions.


no i am trying to add nginx to the picture:

upstream signin {
       server 172.19.24.13:8080;
       server 172.19.24.16:8080;
   }

server {

         listen 443;
         ignore_invalid_headers off;
         ssl on;
         ssl_certificate /etc/ssl/my.domain.crt;
         ssl_certificate_key /etc/ssl/my.domain.key;

         server_name signin.my.domain;
         access_log /var/log/nginx/access.log;
         error_log /var/log/nginx/error.log;

         location / {
             proxy_pass          http://signin;
             proxy_redirect      off;
             proxy_set_header    Host               $host;
             proxy_set_header    X-Real-IP          $remote_addr;
             proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header    X-Forwarded-Host   $host;
             proxy_set_header    X-Forwarded-Server $host;
             proxy_set_header    X-Forwarded-Port   $server_port;
             proxy_set_header    X-Forwarded-Proto  $scheme;
         }

every request to https://signin.my.domain  results in error 500, and in
logs i see:

rewrite or internal redirection cycle while internally redirecting to
"////////////",

i know exactly that keycloak part work , i could go to
keycloak.my.domain in my browser no problem.


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: two identical keycloak servers + nginx as reverse proxy

Francis Daly
On Mon, Nov 25, 2019 at 12:24:18PM +0200, Gregory Edigarov wrote:

Hi there,

>         location / {
>             proxy_pass          http://signin;
>             proxy_redirect      off;
>             proxy_set_header    Host               $host;

> every request to https://signin.my.domain  results in error 500, and in logs
> i see:
>
> rewrite or internal redirection cycle while internally redirecting to
> "////////////",

I think that the config snippet that you show does not lead to the error
log that you show.

Is there some other config in place?

If you add the line

  return 200 "Inside location /, request $uri\n";

before the proxy_pass, and make the same request, what response do you get?

> i know exactly that keycloak part work , i could go to keycloak.my.domain in
> my browser no problem.

You report that you can go to keycloak.my.domain in your browser and
things work.

Your config asks nginx to go to http://172.19.24.13:8080 using the hostname
signin.my.domain.

That is not the same as keycloak.my.domain. Possibly that difference is
a reason for things not working?

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx