keycloak service: allow to set empty frontend URL

This together with extraConfig:

{
  "subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true;
  "subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true;
}

Allows to run Keycloak behind a reverse proxy that provides
X-Forwarded-* headers.
This commit is contained in:
Nikolay Amiantov 2022-01-09 21:01:11 +03:00
parent 84f70eefd1
commit 97a0cf62f0
2 changed files with 11 additions and 2 deletions

View file

@ -55,7 +55,11 @@ in
frontendUrl = lib.mkOption {
type = lib.types.str;
apply = x: if lib.hasSuffix "/" x then x else x + "/";
apply = x:
if x == "" || lib.hasSuffix "/" x then
x
else
x + "/";
example = "keycloak.example.com/auth";
description = ''
The public URL used as base for all frontend requests. Should

View file

@ -85,7 +85,12 @@
The frontend URL is used as base for all frontend requests and
must be configured through <xref linkend="opt-services.keycloak.frontendUrl" />.
It should normally include a trailing <literal>/auth</literal>
(the default web context).
(the default web context). If you use a reverse proxy, you need
to set this option to <literal>""</literal>, so that frontend URL
is derived from HTTP headers. <literal>X-Forwarded-*</literal> headers
support also should be enabled, using <link
xlink:href="https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses">
respective guidelines</link>.
</para>
<para>