Keycloak 26.2.5 omits port in static resource URLs behind reverse proxy on non-standard HTTPS port

[adibd12]

�� Keycloak 26.2.5 generates frontend resource URLs without port number when behind nginx reverse proxy with non-standard HTTPS port

Problem Description

Keycloak 26.2.5 is generating static resource URLs without the port number when accessed through an nginx reverse proxy on a non-standard HTTPS port (8080), causing Mixed Content errors and blank admin console pages.

Key Issue: While main application URLs work correctly with the port, static resource URLs (CSS, JS, fonts) are generated without the port number.

Environment

• Keycloak Version: 26.2.5 (docker.io/bitnami/keycloak:26.2.5-debian-12-r3)
• Deployment: Kubernetes with Bitnami Helm Chart
• Reverse Proxy: nginx ingress controller
• Access Pattern: https://172.31.112.142:8080 (IP address with port 8080)
• Architecture: nginx (HTTPS:8080) → Keycloak (HTTP:8080)

Expected Behavior

When accessing https://172.31.112.142:8080/, Keycloak should:

1. Generate all frontend resource URLs with the port number: https://172.31.112.142:8080/resources/...
2. Maintain port consistency in redirects and resource loading

Actual Behavior

✅ Working URLs (correctly include port :8080):

• https://172.31.112.142:8080/ → works
• https://172.31.112.142:8080/admin/ → works
• https://172.31.112.142:8080/admin/master/console/ → works

❌ Failing URLs (missing port :8080):

• https://172.31.112.142/resources/60tl/admin/keycloak.v2/assets/main-BF... → ERR_ADDRESS_UNREACHABLE
• https://172.31.112.142/resources/master/admin/en → ERR_ADDRESS_UNREACHABLE
• All CSS, JS, font, and static asset requests → fail without port

Network Trace Evidence

Browser network tab shows:

1. Main navigation requests: Include :8080 port ✅
2. Static resource requests: Missing :8080 port ❌
3. Result: Admin console loads structure but no styling/functionality

Configuration

Keycloak Environment Variables:

extraEnvVars:
  - name: KC_HOSTNAME_URL
    value: "https://172.31.112.142:8080"
  - name: KEYCLOAK_PROXY_HEADERS
    value: "xforwarded"
  - name: KC_HTTP_ENABLED
    value: "true"
  - name: KC_HOSTNAME_STRICT
    value: "false"
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"
  - name: KC_PROXY_HEADERS
    value: "xforwarded"
  - name: KC_PROXY
    value: "edge"

nginx Ingress Configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-ingress
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/upstream-vhost: "172.31.112.142:8080"
    nginx.ingress.kubernetes.io/proxy-set-headers: "kube-system/keycloak-proxy-headers"
    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://172.31.112.142"
    nginx.ingress.kubernetes.io/proxy-redirect-to: "https://172.31.112.142:8080"
spec:
  rules:
    - host: ""
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: keycloak
                port:
                  number: 8080

Proxy Headers ConfigMap:

data:
  X-Forwarded-Proto: https
  X-Forwarded-Port: "8080"
  X-Forwarded-For: $proxy_add_x_forwarded_for
  Host: $http_host
  X-Real-IP: $remote_addr

Reproduction Steps

1. Deploy Keycloak 26.2.5 behind nginx reverse proxy on port 8080
2. Configure KC_HOSTNAME_URL=https://172.31.112.142:8080
3. Set PROXY_ADDRESS_FORWARDING=true and proper proxy headers
4. Access https://172.31.112.142:8080/
5. Open browser Network tab
6. Observe: Main URLs work with :8080, but resource URLs fail without port
7. Result: Blank admin console due to failed CSS/JS loading

Technical Analysis

• URL Generation Logic: Main application URLs correctly use KC_HOSTNAME_URL
• Resource URL Generation: Static resources seem to use different logic that ignores the port
• Impact: Renders admin console unusable despite successful authentication

curl Test Evidence

curl -k https://172.31.112.142:8080/ -I
# Returns: location: https://172.31.112.142/admin/  (missing :8080)

Keycloak Log Warning

WARNING: Hostname v1 options [hostname-admin-url, hostname-url, proxy, hostname-strict-https] are still in use, please review your configuration

Question

Is there a separate configuration for static resource URL generation in Keycloak 26.2.5? The KC_HOSTNAME_URL setting appears to work for main application URLs but is ignored for frontend resource generation.

Workaround attempts tried:

• ✅ PROXY_ADDRESS_FORWARDING=true
• ✅ Proper X-Forwarded-* headers
• ✅ KC_HOSTNAME_URL with full URL including port
• ✅ KC_PROXY=edge
• ✅ nginx proxy redirects
• ❌ Still generates resource URLs without port

Impact

This issue makes Keycloak unusable in environments requiring non-standard HTTPS ports when accessed via IP addresses, which is common in:

• Development environments
• Private cloud deployments
• Security-conscious environments using non-standard ports
• Load balancer configurations with port mapping

Requested Solution

Please provide guidance on how to ensure ALL URLs (including static resources) generated by Keycloak include the port number when KC_HOSTNAME_URL contains a port specification.

[shawkins]

The warning is telling you that you have a misconfiguration. You are mixing hostname v2 and v1 options. The v1 options are not being used. Nor is PROXY_ADDRESS_FORWARDING used by the community image.

In particular KC_HOSTNAME_URL is not being used.

Since you have KC_HOSTNAME_STRICT=false and KC_PROXY_HEADERS=xforwarded you should expect that something like curl -k https://172.31.112.142:8080/ -I would give you a redirect with a port - as long as the headers are set correctly. You should try the hostname debug endpoint to validate your setup https://www.keycloak.org/server/hostname#_troubleshooting