How to get nginx to handle https for keycloak

Question

I'm trying to get Keycloak 3.4.3.Final docker container to work. I'm able to load the container over http, and i'm immediately shown an https required message.

So i've setup a proxy-pass using nginx with the following configuration

events {
  worker_connections  4096;  ## Default: 1024
}

http {
    upstream keycloak-stream {
        server keycloak:8080;
    }

    server {
        listen 443;
        server_name  localhost redacted.com *.redacted.com;
        autoindex off;

        location / {
            proxy_ssl_server_name on;
            proxy_pass https://keycloak-stream;

            proxy_set_header Host               $host;
            proxy_set_header X-Real-IP          $remote_addr;
            proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto  $scheme;
        }

        ssl    on;
        ssl_certificate     /run/secrets/fullchain.pem;
        ssl_certificate_key /run/secrets/privkey.pem;
        ssl_dhparam        /run/secrets/dhparam.pem;
    }
}

I've set the following env:

PROXY_ADDRESS_FORWARDING=true

I seem to be getting the following error:

nginx_1 | 2018/03/27 21:48:30 [error] 7#7: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 172.1.0.1, server: localhost, request: "GET /auth/ HTTP/1.1", upstream: "https://172.1.0.3:8080/auth/", host: "localhost.redacted.com"

What do i need to modify to get keycloak to accept https connection from nginx?

Answer 1

I would focus on the actual error:

ssl3_get_record:wrong version number

That means there is a mismatch in versions in client/server SSL records. So eg a client sends a SSL2 client_hello handshake message and the counterpart is configured only for SSL3/TLS1.