-
-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Deployment: Add simple standalone example with reverse proxy
- Loading branch information
1 parent
b88570b
commit 2d1da30
Showing
7 changed files
with
186 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
services: | ||
|
||
database: | ||
image: docker.io/postgres:15 | ||
environment: | ||
POSTGRES_USER: keycloak | ||
POSTGRES_PASSWORD: passw0rd | ||
ports: | ||
- 25432:5432 | ||
volumes: | ||
- keycloak-db-data:/var/lib/postgresql/data | ||
healthcheck: | ||
test: ["CMD-SHELL", "pg_isready -U keycloak"] | ||
interval: 10s | ||
timeout: 5s | ||
retries: 5 | ||
|
||
keycloak: | ||
build: | ||
dockerfile: ./keycloak/Dockerfile | ||
command: start-dev | ||
env_file: .env | ||
environment: | ||
DEBUG: 'true' | ||
DEBUG_PORT: '*:8787' | ||
|
||
# Keycloak DB | ||
KC_DB: postgres | ||
KC_DB_URL_HOST: database | ||
KC_DB_URL_PORT: '5432' | ||
KC_DB_URL_DATABASE: keycloak | ||
KC_DB_USERNAME: keycloak | ||
KC_DB_PASSWORD: passw0rd | ||
|
||
KC_LOG_LEVEL: INFO,com.acme.iam.keycloak:debug | ||
|
||
KC_FEATURES: preview | ||
|
||
KEYCLOAK_ADMIN: admin | ||
KEYCLOAK_ADMIN_PASSWORD: admin | ||
|
||
KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/conf/certs/cert.pem | ||
KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/conf/certs/cert-key.pem | ||
|
||
KC_HOSTNAME: id.acme.test | ||
KC_PROXY: edge | ||
|
||
ports: | ||
- "8080:8080" | ||
- "8443:8443" | ||
- "8787:8787" | ||
volumes: | ||
- ./keycloak/providers:/opt/keycloak/providers | ||
- ./keycloak/themes:/opt/keycloak/themes | ||
- ./keycloak/conf/keycloak.conf:/opt/keycloak/conf/keycloak.conf | ||
- ./keycloak/conf/quarkus.properties:/opt/keycloak/conf/quarkus.properties | ||
- ./config/certs/keycloak-cert.pem:/opt/keycloak/conf/certs/cert.pem | ||
- ./config/certs/keycloak-cert-key.pem:/opt/keycloak/conf/certs/cert-key.pem | ||
|
||
proxy: | ||
image: nginx:alpine | ||
volumes: | ||
- ./proxy/nginx.conf:/etc/nginx/conf.d/default.conf | ||
- ./config/certs/acme.test-cert.pem:/etc/tls/cert.pem | ||
- ./config/certs/acme.test-cert-key.pem:/etc/tls/cert-key.pem | ||
- ./config/certs/rootCA.pem:/etc/tls/rootCA.pem | ||
ports: | ||
- "443:443" | ||
depends_on: | ||
- keycloak | ||
|
||
mailserver: | ||
# Web Interface: http://localhost:1080/# | ||
# Web API: http://localhost:1080/api/v2/messages | ||
image: mailhog/mailhog:v1.0.1@sha256:8d76a3d4ffa32a3661311944007a415332c4bb855657f4f6c57996405c009bea | ||
logging: | ||
driver: none | ||
# Disable mailhog logging, see: https://github.com/mailhog/MailHog/issues/56 | ||
entrypoint: [ "/bin/sh", "-c", "MailHog &>/dev/null" ] | ||
ports: | ||
- "1080:8025" | ||
- "1025:1025" | ||
|
||
volumes: | ||
keycloak-db-data: | ||
name: keycloak-db-data |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#see https://www.keycloak.org/server/containers | ||
ARG KEYCLOAK_VERSION=22.0.5 | ||
FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION | ||
|
||
USER root | ||
|
||
USER keycloak |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
spi-events-listener-jboss-logging-success-level=info | ||
spi-events-listener-jboss-logging-error-level=warn |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
|
||
error_log stdout info; | ||
access_log stdout; | ||
|
||
# Disable server name header | ||
server_tokens off; | ||
|
||
server { | ||
listen 443 ssl; | ||
server_name id.acme.test; | ||
|
||
# generated via https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6 | ||
ssl_certificate /etc/tls/cert.pem; | ||
ssl_certificate_key /etc/tls/cert-key.pem; | ||
|
||
ssl_session_timeout 1d; | ||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions | ||
ssl_session_tickets off; | ||
|
||
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam | ||
# ssl_dhparam /etc/ssl/dhparams; | ||
|
||
# intermediate configuration | ||
ssl_protocols TLSv1.2 TLSv1.3; | ||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | ||
ssl_prefer_server_ciphers off; | ||
|
||
# HSTS (ngx_http_headers_module is required) (63072000 seconds) | ||
# add_header Strict-Transport-Security "max-age=63072000" always; | ||
|
||
# OCSP stapling | ||
# ssl_stapling on; | ||
# ssl_stapling_verify on; | ||
|
||
# replace with the IP address of your resolver | ||
# resolver 127.0.0.1; | ||
|
||
location / { | ||
|
||
location = /robots.txt { | ||
allow all; | ||
log_not_found off; | ||
access_log off; | ||
} | ||
|
||
if ( $request_uri ~* ^.+\. ) { | ||
access_log off; | ||
} | ||
|
||
# if ( $request_uri ~ ^/(admin) ) { | ||
# return 403; | ||
# } | ||
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header X-Forwarded-Host $host; | ||
proxy_set_header X-Forwarded-Port $server_port; | ||
|
||
proxy_pass https://keycloak; | ||
proxy_connect_timeout 2s; | ||
|
||
proxy_ssl_trusted_certificate /etc/tls/rootCA.pem; | ||
proxy_ssl_verify on; | ||
proxy_ssl_session_reuse on; | ||
proxy_ssl_protocols TLSv1.2 TLSv1.3; | ||
|
||
proxy_buffer_size 128k; | ||
proxy_buffers 4 256k; | ||
proxy_busy_buffers_size 256k; | ||
} | ||
} | ||
|
||
upstream keycloak { | ||
ip_hash; | ||
server keycloak:8443 fail_timeout=2s; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
Keycloak Standalone Example | ||
--- | ||
|
||
# Make certificates | ||
|
||
mkcert -install | ||
|
||
Generate "external cert" | ||
mkcert -cert-file ./config/certs/acme.test-cert.pem -key-file ./config/certs/acme.test-cert-key.pem "*.acme.test" | ||
|
||
Generate internal cert | ||
mkcert -cert-file ./config/certs/keycloak-cert.pem -key-file ./config/certs/keycloak-cert-key.pem "keycloak" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/usr/bin/env bash | ||
|
||
docker compose -p kc-simple -f docker-compose.yml up $@ |