Develop Reference

Keycloak in Docker with proxy such as nginx using non-standard ports

This is sort of a follow up question to this question.
Originally, I tried to get Keycloak to work in Docker and needed TLS, so I used nginx with docker compose. But I got an infinite spinner like people in the question, which I found via Google when trying to solve my problem. So I read in answers that people in the question said not to KC_HOSTNAME_PORT. So I tried this and indeed, it worked with port 443.
That is fine and good, but I want to get Keycloak to work in my setup with different ports such as 8443. Can someone explain how to do this based on the setup offered in the original question I referred to? Or post a complete example with a docker-compose.yml of how to do it with nginx or traefik?
EDIT: If it helps, here is my docker-compose.yml:
version: '3'
services:
keycloak:
image: quay.io/keycloak/keycloak:19.0.2
container_name: keycloak
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
PROXY_ADDRESS_FORWARDING: 'true'
KC_HOSTNAME_STRICT: 'false'
KC_HTTP_ENABLED: 'true'
KC_PROXY: 'edge'
# more
KC_PROXY_ADDRESS_FORWARDING: "true"
KC_HOSTNAME: kvm1.home
#KC_HOSTNAME_PORT: 4443
ports:
- "8080:8080"
command:
- start-dev
- "--proxy=edge"
- "--hostname-strict-https=false"
nginx:
image: nginx:1.23.1
container_name: nginx
volumes:
- ./templates:/etc/nginx/templates
ports:
#- "8000:80"
#- "4443:443"
- "80:80"
- "443:443"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
volumes:
- ./ssl:/etc/nginx/ssl
- ./sites-enabled:/etc/nginx/sites-enabled
- ./nginx.conf:/etc/nginx/nginx.conf:rw
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
# include snippets/snakeoil.conf;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name kvm1.home;
location / {
proxy_pass http://kvm1.home:8080/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
If I used the uncommented KC_HOSTNAME_PORT and the uncommented different ports in nginx.environment, I get the infinite spinner.

If you want keycloak to expose keycloak on a different port, you need to make two changes:
Change the port on which you're publishing web-secure endpoint from Traefik
Set KC_HOSTNAME_PORT to match the new port
So that gets us:
version: "3"
services:
traefik:
image: docker.io/traefik
command:
- --api.insecure=true
- --providers.docker
- --entrypoints.web.address=:80
- --entrypoints.web-secure.address=:443
ports:
- "127.0.0.1:8080:8080"
- "80:80"
- "8443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
keycloak:
image: quay.io/keycloak/keycloak
restart: always
command: start
environment:
KC_PROXY_ADDRESS_FORWARDING: "true"
KC_HOSTNAME_STRICT: "false"
KC_HOSTNAME: auth.example.com
KC_HOSTNAME_PORT: 8443
KC_PROXY: edge
KC_HTTP_ENABLED: "true"
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres:5432/$POSTGRES_DB?ssl=allow
KC_DB_USERNAME: $POSTGRES_USER
KC_DB_PASSWORD: $POSTGRES_PASSWORD
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
labels:
- "traefik.http.routers.cloud-network-keycloak.rule=Host(`auth.example.com`)"
- "traefik.http.routers.cloud-network-keycloak.tls=true"
- "traefik.http.services.cloud-network-keycloak.loadbalancer.server.port=8080"
postgres:
image: docker.io/postgres:14
environment:
POSTGRES_USER: $POSTGRES_USER
POSTGRES_PASSWORD: $POSTGRES_PASSWORD
POSTGRES_DB: $POSTGRES_DB
With this configuration, and an appropriate entry in my local /etc/hosts, file, I can access keycloak at https://auth.example.com:8443.

How to connect two docker containers together

I have a reactjs front end application and a simple python flask. And I am using a docker-compose.yml to spin up both the containers, and it is like this:
version: "3.2"
services:
frontend:
build: .
environment:
CHOKIDAR_USEPOLLING: "true"
ports:
- 80:80
links:
- "backend:backend"
depends_on:
- backend
backend:
build: ./api
# volumes:
# - ./api:/usr/src/app
environment:
# CHOKIDAR_USEPOLLING: "true"
FLASK_APP: /usr/src/app/server.py
FLASK_DEBUG: 1
ports:
- 8083:8083
I have used links so the frontend service can talk to backend service using axios as below:
axio.get("http://backend:8083/monitors").then(res => {
this.setState({
status: res.data
});
});
I used docker-compose up --build -d to build and start the two containers and they are started without any issue and running fine.
But now the frontend cannot talk to backend.
I am using an AWS ec2 instance. When the page loads, I tried to see the for any console errors and I get this error:
VM167:1 GET http://backend:8083/monitors net::ERR_NAME_NOT_RESOLVED
Can someone please help me?
The backend service is up and running.

You can use a nginx as reverse proxy for both
The compose file
version: "3.2"
services:
frontend:
build: .
environment:
CHOKIDAR_USEPOLLING: "true"
depends_on:
- backend
backend:
build: ./api
# volumes:
# - ./api:/usr/src/app
environment:
# CHOKIDAR_USEPOLLING: "true"
FLASK_APP: /usr/src/app/server.py
FLASK_DEBUG: 1
proxy:
image: nginx
volumes:
- ./nginx.conf:/etc/nginx/conf.d/example.conf
ports:
- 80:80
minimal nginx config (nginx.conf):
server {
server_name example.com;
server_tokens off;
location / {
proxy_pass http://frontend:80;
}
}
server {
server_name api.example.com;
server_tokens off;
location / {
proxy_pass http://backend:8083;
}
}
The request hits the nginx container and is routed according the domain to the right container.
To use example.com and api.example.com you need to edit your hosts file:
Linux: /etc/hosts
Windows: c:\windows\system32\drivers\etc\hosts
Mac: /private/etc/hosts
127.0.0.1 example.com api.example.com

Problem with nginx reverse proxy and docker. Only one proxy_path is working

I am completly lost.. So i have two proxy_paths in my nginx conf: '/' and '/api'. '/' redirects to my frontend and is working perfectly but the '/api' proxy path is not working at all. The proxy server is logging requests to '/api/' but not forwarding them to my actual api-server. I'm missing something. Is the '/' proxy_path some sort of catch all that overrides any other proxy paths? Any assistance would be invaluable! Thanks! Here are my configs:
nginx reverse proxy conf:
server {
listen 80;
server_name proxy;
location / {
proxy_pass http://frontend_prod:3000/;
}
location /api {
proxy_pass http://api_prod:3333/;
}
}
docker-compose:
version: '3.1'
services:
proxy:
build: ./proxy/
ports:
- '9000:80'
restart: always
depends_on:
- frontend_prod
- api_prod
frontend_prod:
build: ./frontend/nginx/
ports:
- '3000'
depends_on:
- api_prod
restart: always
db:
image: mariadb
restart: always
environment:
MYSQL_ROOT_PASSWORD: hunter2
api_prod:
build: ./backend/api/
command: npm run production
ports:
- '3333'
depends_on:
- db

Error 502 accessing nextcloud via docker with nginx

Heyo!
Update: I figured it out and added my answer.
I'm currently in the process of learning docker and I've written a docker-compose file that should launch nginx, gitea, nextcloud and route them all via domain name as a reverse proxy.
All is going well except for with nextcloud. I can access it via localhost:3001 but not via the nginx reverse proxy. All is well with gitea, it works both ways.
The error I'm getting is:
nginx_proxy | 2018/08/10 00:17:34 [error] 8#8: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 172.19.0.1, server: cloud.example.ca, request: "GET / HTTP/1.1", upstream: "http://172.19.0.4:3001/", host: "cloud.example.ca"
docker-compose.yml:
version: '3.1'
services:
nginx:
container_name: nginx_proxy
image: nginx:latest
restart: always
volumes:
// Here I'm swapping out my default.conf for the container's by mounting my
directory over theirs.
- ./nginx-conf:/etc/nginx/conf.d
ports:
- 80:80
- 443:443
networks:
- proxy
nextcloud_db:
container_name: nextcloud_db
image: mariadb:latest
restart: always
volumes:
- nextcloud_db:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/cloud_db_root
MYSQL_PASSWORD_FILE: /run/secrets/cloud_db_pass
MYSQL_DATABASE: devcloud
MYSQL_USER: devcloud
secrets:
- cloud_db_root
- cloud_db_pass
networks:
- database
gitea_db:
container_name: gitea_db
image: mariadb:latest
restart: always
volumes:
- gitea_db:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/cloud_db_root
MYSQL_PASSWORD_FILE: /run/secrets/cloud_db_pass
MYSQL_DATABASE: gitea
MYSQL_USER: gitea
secrets:
- cloud_db_root
- cloud_db_pass
networks:
- database
nextcloud:
image: nextcloud
container_name: nextcloud
ports:
- 3001:80
volumes:
- nextcloud:/var/www/html
restart: always
networks:
- proxy
- database
gitea:
container_name: gitea
image: gitea/gitea:latest
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
volumes:
- gitea:/data
ports:
- 3000:3000
- 22:22
networks:
- proxy
- database
volumes:
nextcloud:
nextcloud_db:
gitea:
gitea_db:
networks:
proxy:
database:
secrets:
cloud_db_pass:
file: cloud_db_pass.txt
cloud_db_root:
file: cloud_db_root.txt
My default.conf that gets mounted into /etc/nginx/conf.d/default.conf
upstream nextcloud {
server nextcloud:3001;
}
upstream gitea {
server gitea:3000;
}
server {
listen 80;
listen [::]:80;
server_name cloud.example.ca;
location / {
proxy_pass http://nextcloud;
}
}
server {
listen 80;
listen [::]:80;
server_name git.example.ca;
location / {
proxy_pass http://gitea;
}
}
I of course have my hosts file setup to route the domains to localhost. I've done a bit of googling but nothing I've found so far seems to align with what I'm running into. Thanks in advance!

Long story short, one does not simply reverse proxy to port 80 with nextcloud. It's just not allowed. I have it deployed and working great with a certificate over 443! :)

Traefik with nginx container

I spend so much time on it and I didn't found any solution.
I already setup Traefik and the nginx container, here is my docker-compose.yml
version: '3'
networks:
proxy:
external: true
internal:
external: false
services:
mysql:
image: 'mysql:5.7'
environment:
MYSQL_ROOT_PASSWORD: null
networks:
- internal
labels:
- traefik.enable=false
adminer:
image: 'adminer:latest'
labels:
- traefik.backend=adminer
- 'traefik.frontend.rule=Host:db-admin.xxxx.xyz'
- traefik.docker.network=proxy
- traefik.port=8080
networks:
- internal
- proxy
depends_on:
- mysql
portainer:
image: portainer/portainer
networks:
- internal
- proxy
labels:
- "traefik.frontend.rule=Host:portainer.xxxx.xyz"
- "traefik.port=9000"
- "traefik.backend=portainer"
- traefik.docker.network=proxy
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
restart: unless-stopped
Nginx-Pro:
image: nginx:latest
container_name: Nginx-Pro
labels:
- traefik.backend=Nginx-Pro
- traefik.frontend.rule=Host:new.xxxx.fr
- traefik.docker.network=proxy
- "traefik.port=80"
- "traefix.port=443"
- "traefik.frontend.entryPoints=http"
networks:
- internal
- proxy
depends_on:
- mysql
volumes:
- /var/www/nginx-pro/:/var/www/
- /etc/nginx/nginx-pro/:/etc/nginx
So I also setup vhost on the server in /etc/nginx/sites-enabled
I also add log to traefik conf but nothing is appening.
Here is my vhost config :
server {
listen *:80;
root /var/www/new.xxx.fr;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name new.xxx.fr www.new.xxx.fr;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php?$args;
}
location ~ /\.ht {
deny all;
}
}
And the problem is that i always have Bad Gateway message from Traefik.

You need to add traefik.frontend.passHostHeader so nginx can match the Host header with the server_name.
But as this nginx is only for the one domain you match already with traefik.frontend.rule=Host:new.xxxx.fr you can also leave the server_name out of the nginx vhost config and use the default config.
Also remove "traefix.port=443" as you only use http between traefik and nginx, what you want is "traefik.frontend.entryPoints=http,https", you can also add "traefik.frontend.headers.SSLRedirect=true" to always redirect http to https.