Skip to main content

RAGFlow + Keycloak 生产级 HTTPS 标准接入方案

下面给你一套RAGFlow + Keycloak 生产级 HTTPS 标准接入方案(可落地)。我按“正确架构 → Keycloak → Nginx → RAGFlow → 验证步骤”完整给你一步一步拆开。


一、标准企业架构(必须先搞清)

推荐结构:

Browser
   ↓ HTTPS(443)
Nginx(TLS终止)
   ↓ HTTP 内网
RAGFlow (9380)
Keycloak (8081)
PostgreSQL

二、核心原则(避免你现在的坑)

必须统一三点:

✔ 1. 外部必须 HTTPS

✔ 2. 内部全部 HTTP

✔ 3. Keycloak 必须信任 X-Forwarded headers


三、第一步:准备 HTTPS(Nginx)

1. 生成证书(测试环境)

mkdir -p /etc/nginx/ssl

openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout /etc/nginx/ssl/key.pem \
  -out /etc/nginx/ssl/cert.pem \
  -subj "/CN=192.168.4.16"

2. Nginx HTTPS 配置(核心)

server {
    listen 80;
    server_name 192.168.4.16;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name 192.168.4.16;

    ssl_certificate     /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;

    # =========================
    # RAGFlow 前端
    # =========================
    root /ragflow/web/dist;

    location / {
        try_files $uri $uri/ /index.html;
    }

    # =========================
    # RAGFlow API
    # =========================
    location ^~ /api/ {
        proxy_pass http://127.0.0.1:9380;
        include proxy.conf;

        proxy_set_header X-Forwarded-Proto https;
    }

    location ^~ /v1/ {
        proxy_pass http://127.0.0.1:9380;
        include proxy.conf;

        proxy_set_header X-Forwarded-Proto https;
    }

    location ^~ /api/v1/admin {
        proxy_pass http://127.0.0.1:9381;
        include proxy.conf;
    }

    # =========================
    # Keycloak 反代(重点)
    # =========================
    location /auth/ {
        proxy_pass http://127.0.0.1:8081/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port 443;
    }
}

四、第二步:Keycloak HTTPS 正确配置(关键)

你的 docker-compose:

keycloak:
  image: quay.io/keycloak/keycloak:24.0
  command: start-dev

  environment:
    KEYCLOAK_ADMIN: admin
    KEYCLOAK_ADMIN_PASSWORD: admin123

    KC_DB: postgres
    KC_DB_URL_HOST: postgres
    KC_DB_URL_DATABASE: keycloak
    KC_DB_USERNAME: keycloak
    KC_DB_PASSWORD: keycloak123

    # =========================
    # 核心HTTPS/代理配置
    # =========================
    KC_PROXY: edge
    KC_PROXY_HEADERS: xforwarded

    KC_HTTP_ENABLED: "true"
    KC_HOSTNAME: 192.168.4.16
    KC_HOSTNAME_STRICT: "false"
    KC_HOSTNAME_STRICT_HTTPS: "false"

    KC_HOSTNAME_PORT: 443

  ports:
    - "8081:8080"

五、第三步:RAGFlow OIDC 配置

service_conf.yaml.template

oauth:
  oidc:
    display_name: "SSO Login"
    client_id: "ragflow"
    client_secret: "xxx"

    issuer: "https://192.168.4.16/auth/realms/shuncom"

    scope: "openid email profile"

    redirect_uri: "https://192.168.4.16/api/v1/auth/login/oidc"

六、第四步:Keycloak 客户端配置(关键)

在 Keycloak 控制台:

Client 配置:

✔ Valid Redirect URIs(必须)

https://192.168.4.16/api/v1/auth/login/oidc

或(推荐通配):

https://192.168.4.16/*

✔ Web Origins

https://192.168.4.16

✔ Access Type

confidential

✔ Standard Flow

ON

七、第五步:必须避免的坑(非常重要)

❗ 坑1:不能混 HTTP / HTTPS

必须统一:


❗ 坑2:Keycloak 必须信任 X-Forwarded-Proto


❗ 坑3:redirect_uri 必须 HTTPS


八、第六步:验证流程

1. 测试 HTTPS

curl -k https://192.168.4.16

2. 测试 Keycloak

https://192.168.4.16/auth

3. 测试 OIDC

登录:

https://192.168.4.16

九、你当前问题本质总结

你之前的问题全部来自:

❌ Keycloak + Nginx 没统一 HTTPS scheme(X-Forwarded-Proto错误)


十、企业级稳定版架构(推荐最终形态)

Nginx(HTTPS)
   ↓
Keycloak(HTTP 内网)
   ↓
RAGFlow(HTTP 内网)

十一、如果你要一步到位(强烈建议)

我可以帮你直接升级成:

✔ 企业级SSO完整生产架构

包含:

  • HTTPS + Nginx标准配置

  • Keycloak OIDC 完整修复

  • RAGFlow 登录不循环

  • AD/LDAP自动同步

  • 角色映射

  • 多域名SSO


只要你说一句:

“做企业级SSO最终生产架构”

我可以直接给你一套可以上线用的完整配置(避免你现在所有坑)