keycloak service: allow to set empty frontend URL
This together with extraConfig: { "subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true; "subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true; } Allows to run Keycloak behind a reverse proxy that provides X-Forwarded-* headers.
This commit is contained in:
parent
84f70eefd1
commit
97a0cf62f0
@ -55,7 +55,11 @@ in
|
||||
|
||||
frontendUrl = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
apply = x: if lib.hasSuffix "/" x then x else x + "/";
|
||||
apply = x:
|
||||
if x == "" || lib.hasSuffix "/" x then
|
||||
x
|
||||
else
|
||||
x + "/";
|
||||
example = "keycloak.example.com/auth";
|
||||
description = ''
|
||||
The public URL used as base for all frontend requests. Should
|
||||
|
@ -85,7 +85,12 @@
|
||||
The frontend URL is used as base for all frontend requests and
|
||||
must be configured through <xref linkend="opt-services.keycloak.frontendUrl" />.
|
||||
It should normally include a trailing <literal>/auth</literal>
|
||||
(the default web context).
|
||||
(the default web context). If you use a reverse proxy, you need
|
||||
to set this option to <literal>""</literal>, so that frontend URL
|
||||
is derived from HTTP headers. <literal>X-Forwarded-*</literal> headers
|
||||
support also should be enabled, using <link
|
||||
xlink:href="https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses">
|
||||
respective guidelines</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
Loading…
Reference in New Issue
Block a user