0

for couple of days I'm trying to setup my application on Docker using NGinx reverse proxy but no luck. I am getting no login page just errors in the browser when entering localhost or localhost:44411 (my UI port)

I'm running IdentityServer behind an Nginx reverse proxy in a Docker setup and encountering multiple issues with URL routing and discovery document endpoints.

Setup

  • IdentityServer: Running on container port 5001 at https://identityserver:5001
  • Nginx: Reverse proxy routing /identityserver/* requests to the IdentityServer container
  • Frontend: Angular app consuming IdentityServer for authentication
  • Expected URL structure: https://localhost/identityserver/...

Issues Encountered

1. JWKS endpoint returns 404

Error in browser console:

GET https://localhost/.well-known/openid-configuration/jwks 404 (Not Found)
error loading jwks

Discovery document (https://localhost/identityserver/.well-known/openid-configuration) returns:

{
  "issuer": "https://localhost/identityserver",
  "jwks_uri": "https://localhost/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost/connect/authorize",
  // ... other endpoints
}

Problem: The jwks_uri is missing the /identityserver path prefix, but other endpoints are also missing it.

2. Issuer validation errors

Error:

invalid issuer in discovery document 
expected: https://localhost/identityserver/ 
current: https://localhost/identityserver

Problem: Trailing slash mismatch between expected and actual issuer values.

3. Infinite redirect loops

When trying to fix the path issues with app.UsePathBase("/identityserver"), I get infinite redirect loops.

Current Configuration

Nginx Configuration

upstream identityserver {
    server identityserver-1:5001;
}

server {
    listen 443 ssl;
    server_name localhost;

    # IdentityServer
    location /identityserver/ {
        proxy_pass https://identityserver/;
        proxy_ssl_verify off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Host $host;
    }

    location /identityserver {
        return 301 /identityserver/;
    }

    # Temporary workaround for JWKS
    location /.well-known/openid-configuration/jwks {
        proxy_pass https://identityserver/.well-known/openid-configuration/jwks;
        proxy_ssl_verify off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Host $host;
    }
}

IdentityServer Configuration

builder.Services
    .AddIdentityServer(options =>
    {
        options.Events.RaiseErrorEvents = true;
        options.Events.RaiseInformationEvents = true;
        options.Events.RaiseFailureEvents = true;
        options.Events.RaiseSuccessEvents = true;
        options.EmitStaticAudienceClaim = true;
        options.IssuerUri = "https://localhost/identityserver/";
    })

// This causes infinite loops:
app.UsePathBase("/identityserver");

JSON Configuration

{
  "IdentityServer": {
    "PublicOrigin": "https://localhost/identityserver/",
    "IssuerUri": "https://localhost/identityserver/",
    "Clients": [
      {
        "ClientId": "MyApp",
        "RedirectUris": [
          "https://localhost/auth-callback",
          "https://localhost/silent-refresh.html"
        ],
        "PostLogoutRedirectUris": [
          "https://localhost/"
        ],
        "AllowedCorsOrigins": [
          "https://localhost"
        ]
      }
    ]
  }
}

Questions

  1. How do I configure IdentityServer to generate correct URLs in the discovery document when it's behind a reverse proxy at a subpath (/identityserver)?

  2. What's the proper way to handle the path prefix without causing infinite redirects? Should I use UsePathBase, forwarded headers, or a different approach?

  3. How should I configure the trailing slash consistency between the issuer URI, discovery document, and client expectations?

  4. Is there a standard pattern for running IdentityServer behind Nginx at a subpath that handles all these URL generation issues correctly?

What I've Tried

  • Adding UsePathBase("/identityserver") - causes infinite redirects
  • Configuring forwarded headers - didn't resolve URL generation
  • Various nginx proxy_pass configurations with/without trailing slashes
  • Temporary nginx location blocks to handle incorrect URLs

The system works when accessed directly at https://localhost:5001, but fails when going through the reverse proxy at https://localhost/identityserver.

Any guidance on the proper configuration pattern would be greatly appreciated!

EDIT: Tried also this part in Program.cs of my IdentityServer:

    var app = builder
    .ConfigureServices()
    .ConfigurePipeline();
app.UsePathBase("/identityserver");
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost
});
Improve this question
1
Related questions
28
Express - req.ip returns 127.0.0.1
7
what's wrong with this configuration for nginx as reverse proxy for node.js?
5
nginx + vault in docker reverse proxy
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.