commit w/ config files

9fac25fd · Johannes Reppin · 60711a66 · 9fac25fd · 9fac25fd · 9fac25fd
Commit 9fac25fd authored Oct 08, 2021 by Johannes Reppin
--- a/README.md
+++ b/README.md
 # keycloak-docker-compose

-Configuration example for Keycloak using Docker Compose:
\ No newline at end of file
+Configuration example for Keycloak using Docker Compose:
+
+* docker-compose.yml
+	* main compose definition file
+* nginx/nginx.conf
+	* config example for proxy
+* config/profile.properties
+        * enable scripts in keycloak
+
--- a/certs/cert.pem
+++ b/certs/cert.pem
--- a/certs/key.pem
+++ b/certs/key.pem
--- a/config/profile.properties
+++ b/config/profile.properties
+feature.scripts=enabled
+feature.upload_scripts=enabled
--- a/docker-compose.yml
+++ b/docker-compose.yml
+version: "3.7"
+
+services:    
+  sso:
+    image: quay.io/keycloak/keycloak:15.0.2
+    container_name: "keycloak"
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ./config/profile.properties:/opt/jboss/keycloak/standalone/configuration/profile.properties
+      # add plugins for hot deployment in running in KC
+      #- ./plugins:/opt/jboss/keycloak/standalone/deployments/
+    environment:
+      - KEYCLOAK_USER=admin
+      - KEYCLOAK_PASSWORD=changeme
+      - PROXY_ADDRESS_FORWARDING=true
+      - KEYCLOAK_LOGLEVEL=INFO 
+      - KEYCLOAK_STATISTICS=all
+      - DB_VENDOR=POSTGRES
+      - DB_ADDR=postgres
+      - DB_USER=keycloak
+      - DB_PASSWORD=changeme
+      - DB_DATABASE=keycloak
+      - DB_SCHEMA=public
+    networks:
+      - internal
+
+  database:
+    image: postgres:13
+    container_name: "postgres"
+    environment:
+      - POSTGRES_USER=keycloak
+      - POSTGRES_DATABASE=keycloak
+      - POSTGRES_PASSWORD=changeme
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    networks:
+      - internal
+
+  proxy:
+    image: nginx:latest
+    container_name: nginx
+    ports:
+      - "443:443"
+      - "80:80"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf
+      - ./certs:/etc/nginx/ssl
+    networks:
+      - internal
+
+networks:
+  internal:
+    driver: bridge
+    driver_opts:
+      # Openstack spezifisch, kann auf 1500 gelassen werden wenn ihr auf
+      # Bare Metal lauft. 
+      com.docker.network.driver.mtu: 1450
+
+volumes:
+  postgres_data:
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
+# top-level http config for websocket headers
+# If Upgrade is defined, Connection = upgrade
+# If Upgrade is empty, Connection = close
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+# HTTP server to redirect all 80 traffic to SSL/HTTPS
+server {
+    listen 80;
+    server_name keycloak.fqdn.com;
+
+    # Tell all requests to port 80 to be 302 redirected to HTTPS
+    return 302 https://$host$request_uri;
+}
+
+# HTTPS server to handle JupyterHub
+server {
+    listen 443 ssl;
+
+    server_name keycloak.fqdn.com;
+
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;
+
+    ssl_protocols TLSv1.2;
+    ssl_prefer_server_ciphers off;
+    #ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    add_header Strict-Transport-Security max-age=15768000;
+
+    # set longer timeouts
+    proxy_read_timeout 300s;
+    proxy_connect_timeout 75s;
+
+    client_max_body_size 100m;
+
+    # Managing literal requests to the JupyterHub front end
+    location / {
+        proxy_pass http://keycloak:8080;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # websocket headers
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}