Containerized Keycloak behind Nginx not working (502 Bad Gateway)

Question

I need to serve containerized keycloak behind Nginx. Keycloak runs without any problem at 'localhost:8080' but when I try to access it through the reverse proxy at 'localhost/auth' I get '502 Bad Gateway'.

Here's the details of the error taken from Nginx logs:

[error] 8#8: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.80.1, server: , request: "GET /auth/ HTTP/1.1", upstream: "http://127.0.0.1:8080/auth/", host: "localhost"

Please find below my docker-compose file (I haven't pasted the other containers):

version: '3'
services:
  keycloak:
    image: jboss/keycloak
    container_name: keycloak
    ports:
      - "8080:8080"
    environment:
      KEYCLOAK_USER: ${KEYCLOAK_USER}
      KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
      KEYCLOAK_DB_VENDOR: ${KEYCLOAK_DB_VENDOR}
      KEYCLOAK_DB_ADDR: ${KEYCLOAK_DB_ADDR}
      KEYCLOAK_DB_DATABASE: ${KEYCLOAK_DB_DATABASE}
      KEYCLOAK_DB_USER: ${KEYCLOAK_DB_USER}
      KEYCLOAK_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
      PROXY_ADDRESS_FORWARDING: 'true'
    depends_on:
      - keycloak-db

  keycloak-db:
    image: postgres
    container_name: keycloak-db
    restart: unless-stopped
    environment:
      POSTGRES_USER: ${POSTGRES_USERNAME}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: keycloak
    volumes:
      - ./keycloak/data:/var/lib/postgresql/data/
    networks:
      - my-app

  nginx:
    image: nginx:1.15-alpine
    container_name: nginx
    build:
      context: ./nginx
    restart: unless-stopped
    ports:
      - "80:80"
    volumes:
      - ./nginx/conf:/etc/nginx/conf.d
    networks:
      - my-app

networks:
  my-app:

This is the Nginx upstream.conf:

# path: /etc/nginx/conf.d/upstream.conf

# Keycloak server
upstream keycloak {
    server localhost:8080;
}

Nginx default.conf:

server {
    listen 80;
    root  /usr/share/nginx/html;
    include /etc/nginx/mime.types;

    # keycloak
    location /auth {
        proxy_pass http://keycloak/auth;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

    location /auth/admin {
        proxy_pass http://keycloak/auth/admin;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

}

Does anyone have any idea what is wrong in my configuration?

Answer 1

Obvious problem:

upstream keycloak {
    server localhost:8080;
}

Each container has own "localhost", so you are connecting to nginx's localhost != keycloak's localhost != host's localhost. Use service name there, e.g.:

upstream keycloak {
    server keycloak:8080;
}