diff options
| author | Nikolay Amiantov <ab@fmap.me> | 2022-01-09 21:01:11 +0300 |
|---|---|---|
| committer | Nikolay Amiantov <ab@fmap.me> | 2022-01-16 11:41:50 +0300 |
| commit | 97a0cf62f098d21a31c4dc03294e4919e88c225f (patch) | |
| tree | 6c4a5c149437cd96c16044b74d0c2465cb64ce20 /nixos | |
| parent | 84f70eefd1c4f90e892164afa39931a9fc5ba8db (diff) | |
| download | nixpkgs-97a0cf62f098d21a31c4dc03294e4919e88c225f.tar nixpkgs-97a0cf62f098d21a31c4dc03294e4919e88c225f.tar.gz nixpkgs-97a0cf62f098d21a31c4dc03294e4919e88c225f.tar.bz2 nixpkgs-97a0cf62f098d21a31c4dc03294e4919e88c225f.tar.lz nixpkgs-97a0cf62f098d21a31c4dc03294e4919e88c225f.tar.xz nixpkgs-97a0cf62f098d21a31c4dc03294e4919e88c225f.tar.zst nixpkgs-97a0cf62f098d21a31c4dc03294e4919e88c225f.zip | |
keycloak service: allow to set empty frontend URL
This together with extraConfig:
{
"subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true;
"subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true;
}
Allows to run Keycloak behind a reverse proxy that provides
X-Forwarded-* headers.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/keycloak.xml | 7 |
2 files changed, 11 insertions, 2 deletions
diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 39e5ab970b9..aff4ed8dd60 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -55,7 +55,11 @@ in frontendUrl = lib.mkOption { type = lib.types.str; - apply = x: if lib.hasSuffix "/" x then x else x + "/"; + apply = x: + if x == "" || lib.hasSuffix "/" x then + x + else + x + "/"; example = "keycloak.example.com/auth"; description = '' The public URL used as base for all frontend requests. Should diff --git a/nixos/modules/services/web-apps/keycloak.xml b/nixos/modules/services/web-apps/keycloak.xml index 8c3e35a051b..cb706932f48 100644 --- a/nixos/modules/services/web-apps/keycloak.xml +++ b/nixos/modules/services/web-apps/keycloak.xml @@ -85,7 +85,12 @@ The frontend URL is used as base for all frontend requests and must be configured through <xref linkend="opt-services.keycloak.frontendUrl" />. It should normally include a trailing <literal>/auth</literal> - (the default web context). + (the default web context). If you use a reverse proxy, you need + to set this option to <literal>""</literal>, so that frontend URL + is derived from HTTP headers. <literal>X-Forwarded-*</literal> headers + support also should be enabled, using <link + xlink:href="https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses"> + respective guidelines</link>. </para> <para> |