Reverse proxy from NGINX to Keycloak with 2FA

Joncheski nginx-forum at
Mon Apr 23 08:43:26 UTC 2018

Hello all,

I have a problem with NGINX. In addition, I will provide you with a
configuration file and a picture of the architecture schema ( ).

I want to access Keycloak via nginx and log in to it. I use it as an
Identity Management where I have a login with a username and password and a
certificate where I check the certificate, that is 2FA. My problem is that
when I access the browser through NGINX, I do not get popup to submit my
user certificate, but then go to the second step to enter a username and
password, but after that, Keycloak tells me I'm missing a certificate.

Something I've tried and worked on is if I add these things to the
configuration file, proxy_ssl_certificate and proxy_ssl_certificate_key will
pass it on, but only for one user. An example if proxy_ssl_certificate and
proxy_ssl_certificate_key are a certificate and a key from the user
joncheski and log in to Keycloak with the user joncheski will pass
successfully. But if I want to log in with another user, it will not pass,
because the certificate and the username are not equal.
I need your help. How to set this up for more users to work.


user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/;

events {
worker_connections 1024;

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;


proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/certs/server/SERVER.crt;
ssl_certificate_key /etc/nginx/certs/server/SERVER.key;
ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;

location '/auth' {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_http_version 1.1;


Best regards,
Goce Joncheski

Posted at Nginx Forum:,279549,279549#msg-279549

More information about the nginx mailing list