Skip to content

Troubleshooting

Redirect Issues

The persistent issue of Keycloak generating URLs with internal names (e.g., https://keycloak_servers/) or https://auth-node1.quintessence.de/ when it should use https://loadbalancer.quintessence.de/ typically stems from how Keycloak perceives its public URL, especially in multi-proxy setups.

Based on the existing configuration, these are the most critical points:

KC_HOSTNAME_URL and KC_HOSTNAME_ADMIN_URL: 1. Verification: Ensure the exact URL https://loadbalancer.quintessence.de/auth configured in the Keycloak docker-compose.yml file. This tells Keycloak its true public address.

KC_PROXY_HEADERS: xforwarded and PROXY_ADDRESS_FORWARDING: 'true': - Verification: These settings tell Keycloak to trust the proxy headers. The xforwarded value specifically implies that Keycloak will look for X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host. - The Chain is Key: The X-Forwarded-Host header must flow correctly through both Nginx layers:

  * **LB Nginx:** proxy_set_header X-Forwarded-Host $host; (sets loadbalancer.quintessence.de as the forwarded host).
  * **Node Nginx:** proxy_set_header X-Forwarded-Host $http_x_forwarded_host; (passes through the X-Forwarded-Host it received from the LB Nginx).

KC_HOSTNAME_INTERNAL_URL vs. Public URL: - Our custom Keycloak implementation uses KC_HOSTNAME_INTERNAL_URL. Ensure this is correctly set to the individual node's FQDN (https://auth-node1.quintessence.de/auth). This is likely for internal callbacks or for the extra_hosts entry to function correctly. This should not affect public redirects if KC_HOSTNAME_URL is set and trusted.

KC_HOSTNAME_STRICT_HTTPS: "false", KC_HOSTNAME_STRICT: "false", KC_HTTP_ENABLED: "true":

  • These settings make Keycloak less strict about hostname matching and allow internal HTTP communication. While useful for proxying, they don't replace the need for the correct X-Forwarded-Host header.

Changelog

Date Author Message
2026-03-04 aresnikowa QC-47927: aligned with the template, mkDocs formatting alignment
2026-02-25 aresnikowa QC-50171: in Keycloak folder, adjusted admonitions
2026-02-25 aresnikowa Merge remote-tracking branch 'origin/master'