Getting POST error from Keycloak, attemping an HTTPS connection on LAN IP when it shouldn't be.

[BugZappa]

Hey y'all, long story short i recently broke the partition table to my Debian 12 machine and had to accomplish 4 months of work in 5ish hours, which sucked, but i digress.

After re-setting up Keycloak and Traefik OIDC Auth plugin i got it all working once again however, i'm running into HTTP related errors on occasion along the lines of:

2025-07-12 05:35:55 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://kc.my.domain/realms/restricted-realm/protocol/openid-connect/auth
2025-07-12 05:35:55 [INFO] [traefik-oidc-auth] Getting OIDC discovery document...
2025-07-12 05:35:55 [ERROR] [traefik-oidc-auth] http-get discovery endpoints - Err: Get "https://kc.my.domain/realms/restricted-realm/.well-known/openid-configuration": dial tcp 192.168.1.199:443: connect: connection refused
2025-07-12 05:35:55 [ERROR] [traefik-oidc-auth] Error while retrieving discovery document: HTTP GET error
2025-07-12 05:35:55 [ERROR] [traefik-oidc-auth] Error getting oidc discovery: HTTP GET error
2025-07-12 05:35:55 [INFO] [traefik-oidc-auth] Getting OIDC discovery document...
2025-07-12 05:35:55 [ERROR] [traefik-oidc-auth] http-get discovery endpoints - Err: Get "https://kc.my.domain/realms/restricted-realm/.well-known/openid-configuration": dial tcp 192.168.1.199:443: connect: connection refused
2025-07-12 05:35:55 [ERROR] [traefik-oidc-auth] Error while retrieving discovery document: HTTP GET error
2025-07-12 05:35:55 [ERROR] [traefik-oidc-auth] Error getting oidc discovery: HTTP GET error
2025-07-12 05:36:07 [DEBUG] [traefik-oidc-auth] A session is present for the request and will be used.

port 443:443 is not open on 192.168.1.199 and i can't figure out why the plugin is making this call? I've gone through my traefik.yml, docker-compose.yml and openid.yml which contains the middleware. I'm kinda stumped here and would appreciate if someone could provide some insight into this error.

my traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: true
  # swarm:
  #   endpoint: "tcp://127.0.0.1:2377"
  redis:
    endpoints:
      # assumes a redis link with this service name running on the same
      # docker host as traefik
      - "redis:6379"
  file:
    directory: /custom
    #asus: /asus.yml
    #homebridge: /homebridge.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: my@email.com
      storage: acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        delayBeforeCheck: 10s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
experimental:
    plugins:
        themepark:
            moduleName: "github.com/packruler/traefik-themepark"
            version: "v1.2.2"
        fail2ban:
          moduleName: "github.com/tomMoulard/fail2ban"
          version: "v0.8.3"
        realip:
          moduleName: github.com/Desuuuu/traefik-real-ip-plugin
          version: v1.1.0
        crowdsec-bouncer:
          moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
          version: "v1.4.2"
        geoblock:
          moduleName: "github.com/PascalMinder/geoblock"
          version: "v0.3.3"
        traefik-oidc-auth:
          moduleName: "github.com/sevensolutions/traefik-oidc-auth"
          version: "v0.13.0"
log:
  level: INFO

snippet of my docker-compose.yml

services:
  homepage:
    image: ghcr.io/gethomepage/homepage:nightly
    hostname: homepage
    container_name: homepage
    networks:
      main:
        ipv4_address: 172.18.0.33
    environment:
      PUID: 0 # optional, your user id
      PGID: 0 # optional, your group id
      HOMEPAGE_ALLOWED_HOSTS: my.domain,*
    ports:
      - '3000:3000'
    volumes:
      - ./config/homepage:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock #:ro # optional, for docker integrations
      - /home/user/Pictures:/app/public/icons
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homepage.rule=Host(`my.domain`)"
      - "traefik.http.routers.homepage.entrypoints=https"
      - "traefik.http.routers.homepage.tls=true"
      - "traefik.http.services.homepage.loadbalancer.server.port=3000"
      - "traefik.http.routers.homepage.middlewares=fail2ban@file"
      - "traefik.http.routers.homepage.tls.certresolver=le"
      # - "traefik.http.routers.freshrss.middlewares=traefik-oidc-auth@file"
      - "traefik.http.routers.homepage.middlewares=geoblock@file"
      - "kop.fressrss.bind.ip=192.168.1.199"
      # - "traefik.http.routers.homepage.tls.certresolver=cloudlare"
      #- "traefik.http.services.homepage.loadbalancer.server.port=3000"
      #- "traefik.http.middlewares.homepage.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 172.18.0.0/16, 208.118.140.130"
      #- "traefik.http.middlewares.homepage.ipwhitelist.ipstrategy.depth=2"

  traefik-kop:
    image: "ghcr.io/jittering/traefik-kop:latest"
    container_name: traefik-kop
    hostname: traefik-kop
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - "REDIS_ADDR=192.168.1.14:6379"
      - "BIND_IP=192.168.1.199"
    networks:
      main:
        ipv4_address: 172.18.0.29

  keycloak:
    container_name: keycloak
    hostname: keycloak
    image: quay.io/keycloak/keycloak:26.3.0
    environment:
      KC_HOSTNAME: https://kc.my.domain
      KC_HTTP_ENABLED: "true"
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgresql-kc:5432/$POSTGRES_DB?ssl=allow
      KC_DB_USERNAME: admin
      KC_DB_PASSWORD: password
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: password
    networks:
      main:
        ipv4_address: 172.18.0.30
    ports:
      - 6732:8080
      #- 8443:8443
    labels:
       - "traefik.enable=true"
       - "traefik.http.routers.keycloak.rule=Host(`kc.my.domain`)"
       - "traefik.http.routers.keycloak.entrypoints=https"
       - "traefik.http.routers.keycloak.tls=true"
       - "traefik.http.services.keycloak.loadbalancer.server.port=6732"
       - "traefik.http.routers.keycloak.middlewares=fail2ban@file"
       - "traefik.http.routers.keycloak.tls.certresolver=le"
       - "kop.keycloak.bind.ip=192.168.1.199"
    command:
      - start
    depends_on:
        - postgresql-kc

I would like to note here that i host my Traefik instance on a separate machine hence the traefik-kop instance and --kop.service-name.bind.ip= label, this should have no effect on the Traefik OIDC plugin an Keycloak, it's simply passing container information over to the other machine which hosts Traefik.

Docker-compose.yml containing my Traefik container

  traefik:
    image: traefik:v3.2
    container_name: traefik
    hostname: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      main:
        # ipv4_address: 172.18.0.3
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 55262
        mode: host
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 57442
        mode: host
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik/traefik.yml:/traefik.yml:ro
      - ./config/traefik/acme.json:/acme.json
      # - ./opt:/opt
      #- ./config/traefik/config.yml:/config.yml:ro
      - ./config/traefik/custom-yml:/custom
      # - ./config/traefik/homebridge.yml:/homebridge.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.my.domain`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.my.domain`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=my.domain"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.my.domain"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=fail2ban@file"
      - "traefik.http.routers.traefik.middlewares=geoblock@file"
      - "traefik.http.routers.traefik-secure.middlewares=fail2ban@file"
      - "traefik.http.routers.traefik-secure.middlewares=geoblock@file"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-oidc-auth@file"
      - "traefik.http.routers.traefik-https-redirect.middlewares=fail2ban@file"
      - "traefik.http.routers.traefik-https-redirect.middlewares=geoblock@file"

openid.yml containing the Traefik OIDC Auth middleware

http:
    middlewares:
        traefik-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Traefik
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        homepage-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Homepage
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        asus-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Asus
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        portainer-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: portainer
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        homepage-css-editor-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Homepage-Editor
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        theme-park-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Theme-Park
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        pihole-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: PiHole
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        pihole-bak-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: PiHole-bak
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        proxmox-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Proxmox
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        homebridge-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Homebridge
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        vscodium-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: VSCodium
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        glances-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Glances
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        whoami-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: WhoAmI
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email
        jaeger-oidc-auth:
            plugin:
                traefik-oidc-auth:
                    Provider:
                        ClientId: Jaeger
                        ClientSecret: secret
                        Url: https://kc.my.domain/realms/restricted-realm
                        UsePkce: false
                    Scopes:
                        - openid
                        - profile
                        - email