Cài Keycloak Server
1. Cài đặt Keycloak
File docker-compose.yaml
version: "3.9"
services:
postgres:
image: postgres:15
container_name: keycloak_postgres
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- keycloak_network
keycloak:
image: quay.io/keycloak/keycloak:24.0
container_name: keycloak
command: start-dev
environment:
KC_DB: postgres
KC_DB_URL_HOST: postgres
KC_DB_URL_DATABASE: keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: password
KC_HOSTNAME: keycloak-dev.huce.edu.vn
KC_PROXY: edge
KC_HOSTNAME_STRICT: "false"
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
ports:
- "8080:8080"
depends_on:
- postgres
networks:
- keycloak_network
volumes:
postgres_data:
networks:
keycloak_network:
Chạy lệnh:
docker-compose up -d --build
2. Cấu hình HA Proxy làm reverse proxy
Check từ HA Proxy Server có thông tới port 8080 của Keycloak Server không
nc -zv [ip keycloak server] 8080
nc -zv 192.168.100.36 8080Như này là ok
Cấu hình HA Proxy reverse về Keycloak server (Port 8080). SSL xử lý tại HA Proxy luôn
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind *:8404
mode http
stats enable
stats uri /stats
stats refresh 5s
stats realm Haproxy\ Statistics
stats auth admin:Nuce@1234
stats admin if TRUE
frontend http_in
bind *:80
mode http
acl host_keycloak-dev hdr(host) -i keycloak-dev.huce.edu.vn
use_backend keycloak_dev if host_keycloak-dev
default_backend reject_all
frontend https_in
bind *:443 ssl crt /etc/ssl/huce_cert/cert.pem
mode http
acl host_keycloak-dev hdr(host) -i keycloak-dev.huce.edu.vn
use_backend keycloak_dev if host_keycloak-dev
default_backend reject_all
backend keycloak_dev
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-For %[src]
http-request set-header Host %[req.hdr(Host)]
server keycloak_dev_1 192.168.100.36:8080 check
backend reject_all
errorfile 403 /etc/haproxy/errors/403.http
Chạy lệnh:
systemctl restart haproxy