Keycloak and Traefik

Traefik Traefik v3 (latest)
1

Hello,

I have some trouble to implement a keycloak behind traefik.

main.tsx:13 Mixed Content: The page at 'https://keycloak.example.com/admin/master/console/' was loaded over HTTPS, but requested an insecure resource 'http://keycloak.example.com/resources/master/admin/en'. This request has been blocked; the content must be served over HTTPS.
loadUrl @ index.js:70
read @ index.js:52
read @ i18next.js:1544
loadOne @ i18next.js:1574
(anonymous) @ i18next.js:1559
prepareLoading @ i18next.js:1558
load @ i18next.js:1563
loadResources @ i18next.js:1871
o @ i18next.js:1976
changeLanguage @ i18next.js:1989
c @ i18next.js:1839
setTimeout
init @ i18next.js:1844
(anonymous) @ main.tsx:13Understand this error
keycloak.js:57 Refused to frame 'http://keycloak.example.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".

So I can’t see the page….

services:
  keycloak:
    image: quay.io/keycloak/keycloak:latest

    networks:
      - traefik_proxy

    environment:
      - "TZ=Europe/Luxembourg"

      - "KC_BOOTSTRAP_ADMIN=admin"
      - "KC_BOOTSTRAP_ADMIN_PASSWORD=admin"

      - "KC_HOSTNAME=keycloak.example.com"
      - "PROXY_ADDRESS_FORWARDING=true"

      - "KC_DB=mariadb"
      - "KC_DB_URL_HOST=galera-cluster.example.com"
      - "KC_DB_SCHEMA=keycloak"
      - "KC_DB_USERNAME=keycloak"
      - "KC_DB_PASSWORD=keycloak"

      - "KC_LOG_LEVEL=DEBUG"

    volumes:
      - "/etc/localtime:/etc/localtime:ro"

    command:
      - "start-dev"

    deploy:
      mode: replicated
      replicas: 1
      placement:

      # Placement constraints restrict where Traefik tasks can run.
      # Running on manager nodes is common for accessing the Swarm API via the socket.
        constraints:
          - node.role == manager

      # Traefik Dynamic configuration via labels
      # In Swarm, labels on the service definition configure Traefik routing for that service.
      labels:
        - "traefik.enable=true"
        - "traefik.swarm.network=traefik_proxy"

        # Keycloak router
        - "traefik.http.routers.keycloak.rule=Host(`keycloak.example.com`)"
        - "traefik.http.routers.keycloak.entrypoints=websecure"
       - "traefik.http.routers.keycloak.tls=true"
        - "traefik.http.routers.keycloak.tls.certresolver=le"
        - "traefik.http.routers.keycloak.service=keycloak"

        # Service hint
        - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
        - "traefik.http.services.keycloak.loadbalancer.server.scheme=http"

networks:
  traefik_proxy:
     external: true

I have tried many things, like KC_PROXY=edge, middleware settings, but nothing works...

Does someone has an idea?

Regards,
2

This seems strange. Keycloak should recognize the X-Forwarded-Proto: https header from Traefik and should therefore use https for included resources or links. Maybe it needs to be enabled, check doc.

3

This is how I configured Keycloak - it took me also a while to get everything working.

The Env Vars seem to be important:
KC_HOSTNAME_URL=https://example.com
KC_HOSTNAME_ADMIN_URL=https://example.com
KC_HOSTNAME_STRICT="false"
KC_HTTP_ENABLED="false"
KC_PROXY=edge
KC_PROXY_ADDRESS_FORWARDING="true"

And these Traefik labels have I used:
traefik.enable=true
traefik.http.routers.keycloak.rule=Host(``https://example.com``)
traefik.http.routers.keycloak.entrypoints=websecure
traefik.http.services.keycloak.loadbalancer.server.scheme=https

I think the https configuration for the loadbalancer did the trick for me.

4

I would recommend to add the port, then you don't depend on the EXPOSE from the keycloak image:

        - traefik.http.services.keycloak.loadbalancer.server.port=8443