Deployment: Add simple standalone example with reverse proxy

thomasdarimont · Nov 24, 2023 · 2d1da30 · 2d1da30
1 parent b88570b
commit 2d1da30
Show file tree

Hide file tree

Showing 7 changed files with 186 additions and 0 deletions.
diff --git a/deployments/local/standalone/docker-compose.yml b/deployments/local/standalone/docker-compose.yml
@@ -0,0 +1,86 @@
+services:
+
+  database:
+    image: docker.io/postgres:15
+    environment:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: passw0rd
+    ports:
+      - 25432:5432
+    volumes:
+      - keycloak-db-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U keycloak"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  keycloak:
+    build:
+      dockerfile: ./keycloak/Dockerfile
+    command: start-dev
+    env_file: .env
+    environment:
+      DEBUG: 'true'
+      DEBUG_PORT: '*:8787'
+
+      # Keycloak DB
+      KC_DB: postgres
+      KC_DB_URL_HOST: database
+      KC_DB_URL_PORT: '5432'
+      KC_DB_URL_DATABASE: keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: passw0rd
+
+      KC_LOG_LEVEL: INFO,com.acme.iam.keycloak:debug
+
+      KC_FEATURES: preview
+
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+
+      KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/conf/certs/cert.pem
+      KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/conf/certs/cert-key.pem
+
+      KC_HOSTNAME: id.acme.test
+      KC_PROXY: edge
+
+    ports:
+      - "8080:8080"
+      - "8443:8443"
+      - "8787:8787"
+    volumes:
+      - ./keycloak/providers:/opt/keycloak/providers
+      - ./keycloak/themes:/opt/keycloak/themes
+      - ./keycloak/conf/keycloak.conf:/opt/keycloak/conf/keycloak.conf
+      - ./keycloak/conf/quarkus.properties:/opt/keycloak/conf/quarkus.properties
+      - ./config/certs/keycloak-cert.pem:/opt/keycloak/conf/certs/cert.pem
+      - ./config/certs/keycloak-cert-key.pem:/opt/keycloak/conf/certs/cert-key.pem
+
+  proxy:
+    image: nginx:alpine
+    volumes:
+      - ./proxy/nginx.conf:/etc/nginx/conf.d/default.conf
+      - ./config/certs/acme.test-cert.pem:/etc/tls/cert.pem
+      - ./config/certs/acme.test-cert-key.pem:/etc/tls/cert-key.pem
+      - ./config/certs/rootCA.pem:/etc/tls/rootCA.pem
+    ports:
+      - "443:443"
+    depends_on:
+      - keycloak
+
+  mailserver:
+    # Web Interface: http://localhost:1080/#
+    # Web API: http://localhost:1080/api/v2/messages
+    image: mailhog/mailhog:v1.0.1@sha256:8d76a3d4ffa32a3661311944007a415332c4bb855657f4f6c57996405c009bea
+    logging:
+      driver: none
+    # Disable mailhog logging, see: https://github.com/mailhog/MailHog/issues/56
+    entrypoint: [ "/bin/sh", "-c", "MailHog &>/dev/null" ]
+    ports:
+      - "1080:8025"
+      - "1025:1025"
+
+volumes:
+  keycloak-db-data:
+    name: keycloak-db-data
diff --git a/deployments/local/standalone/keycloak/Dockerfile b/deployments/local/standalone/keycloak/Dockerfile
@@ -0,0 +1,7 @@
+#see https://www.keycloak.org/server/containers
+ARG KEYCLOAK_VERSION=22.0.5
+FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION
+
+USER root
+
+USER keycloak
diff --git a/deployments/local/standalone/keycloak/conf/keycloak.conf b/deployments/local/standalone/keycloak/conf/keycloak.conf
@@ -0,0 +1,2 @@
+spi-events-listener-jboss-logging-success-level=info
+spi-events-listener-jboss-logging-error-level=warn
diff --git a/deployments/local/standalone/keycloak/conf/quarkus.properties b/deployments/local/standalone/keycloak/conf/quarkus.properties
diff --git a/deployments/local/standalone/proxy/nginx.conf b/deployments/local/standalone/proxy/nginx.conf
@@ -0,0 +1,76 @@
+
+error_log stdout info;
+access_log stdout;
+
+# Disable server name header
+server_tokens off;
+
+server {
+    listen                443 ssl;
+    server_name           id.acme.test;
+
+# generated via https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
+    ssl_certificate       /etc/tls/cert.pem;
+    ssl_certificate_key   /etc/tls/cert-key.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+#    ssl_dhparam /etc/ssl/dhparams;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # OCSP stapling
+#    ssl_stapling on;
+#    ssl_stapling_verify on;
+
+    # replace with the IP address of your resolver
+    # resolver 127.0.0.1;
+
+    location / {
+
+        location = /robots.txt {
+          allow all;
+          log_not_found off;
+          access_log off;
+        }
+
+        if ( $request_uri ~* ^.+\. ) {
+          access_log off;
+        }
+
+#         if ( $request_uri ~ ^/(admin) ) {
+#             return 403;
+#         }
+
+        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-Proto  $scheme;
+        proxy_set_header    X-Forwarded-Host   $host;
+        proxy_set_header    X-Forwarded-Port   $server_port;
+
+        proxy_pass              https://keycloak;
+        proxy_connect_timeout   2s;
+
+        proxy_ssl_trusted_certificate /etc/tls/rootCA.pem;
+        proxy_ssl_verify              on;
+        proxy_ssl_session_reuse       on;
+        proxy_ssl_protocols           TLSv1.2 TLSv1.3;
+
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
+    }
+}
+
+upstream keycloak {
+    ip_hash;
+    server keycloak:8443 fail_timeout=2s;
+}
diff --git a/deployments/local/standalone/readme.md b/deployments/local/standalone/readme.md
@@ -0,0 +1,12 @@
+Keycloak Standalone Example
+---
+
+# Make certificates
+
+mkcert -install
+
+Generate "external cert"
+mkcert -cert-file ./config/certs/acme.test-cert.pem -key-file ./config/certs/acme.test-cert-key.pem "*.acme.test"
+
+Generate internal cert
+mkcert -cert-file ./config/certs/keycloak-cert.pem -key-file ./config/certs/keycloak-cert-key.pem "keycloak"
diff --git a/deployments/local/standalone/up.sh b/deployments/local/standalone/up.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+docker compose -p kc-simple -f docker-compose.yml up $@