Reverse proxy from NGINX to Keycloak with 2FA

Francis Daly francis at
Mon Apr 30 22:35:48 UTC 2018

On Mon, Apr 23, 2018 at 04:43:26AM -0400, Joncheski wrote:

Hi there,

> I have a problem with NGINX. In addition, I will provide you with a
> configuration file and a picture of the architecture schema (
> ).
> I want to access Keycloak via nginx and log in to it. I use it as an
> Identity Management where I have a login with a username and password and a
> certificate where I check the certificate, that is 2FA. My problem is that
> when I access the browser through NGINX, I do not get popup to submit my
> user certificate, but then go to the second step to enter a username and
> password, but after that, Keycloak tells me I'm missing a certificate.

As I understand it, Keycloak receives a user/pass combination, and wants
to receive a SSL certificate, and wants to know that the client knows
the private key that matches the certificate.

There are two ways that Keycloak (or anything) can know that the client
knows the matching private key:

* the client can talk SSL directly to Keycloak
* something that Keycloak trusts can tell it that the client knows the
matching private key

If you can configure Keycloak to believe nginx when nginx says that
the client knows the private key to *this* certificate, then you
can use nginx's ssl_verify_client directive with the optional_no_ca
argument. (

If you cannot configure Keycloak to believe that, then you will probably
have to change your design so that the client "does" SSL directly with
Keycloak - perhaps by removing nginx from the loop, or perhaps by using
nginx as a tcp port forwarder ("stream"). That would have other effects
on the overall architecture.

Francis Daly        francis at

More information about the nginx mailing list