Commit 9fac25fd authored by Johannes Reppin's avatar Johannes Reppin
Browse files

commit w/ config files

parent 60711a66
# keycloak-docker-compose
Configuration example for Keycloak using Docker Compose:
\ No newline at end of file
Configuration example for Keycloak using Docker Compose:
* docker-compose.yml
* main compose definition file
* nginx/nginx.conf
* config example for proxy
* config/profile.properties
* enable scripts in keycloak
feature.scripts=enabled
feature.upload_scripts=enabled
version: "3.7"
services:
sso:
image: quay.io/keycloak/keycloak:15.0.2
container_name: "keycloak"
volumes:
- /etc/localtime:/etc/localtime:ro
- ./config/profile.properties:/opt/jboss/keycloak/standalone/configuration/profile.properties
# add plugins for hot deployment in running in KC
#- ./plugins:/opt/jboss/keycloak/standalone/deployments/
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=changeme
- PROXY_ADDRESS_FORWARDING=true
- KEYCLOAK_LOGLEVEL=INFO
- KEYCLOAK_STATISTICS=all
- DB_VENDOR=POSTGRES
- DB_ADDR=postgres
- DB_USER=keycloak
- DB_PASSWORD=changeme
- DB_DATABASE=keycloak
- DB_SCHEMA=public
networks:
- internal
database:
image: postgres:13
container_name: "postgres"
environment:
- POSTGRES_USER=keycloak
- POSTGRES_DATABASE=keycloak
- POSTGRES_PASSWORD=changeme
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- internal
proxy:
image: nginx:latest
container_name: nginx
ports:
- "443:443"
- "80:80"
volumes:
- ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf
- ./certs:/etc/nginx/ssl
networks:
- internal
networks:
internal:
driver: bridge
driver_opts:
# Openstack spezifisch, kann auf 1500 gelassen werden wenn ihr auf
# Bare Metal lauft.
com.docker.network.driver.mtu: 1450
volumes:
postgres_data:
# top-level http config for websocket headers
# If Upgrade is defined, Connection = upgrade
# If Upgrade is empty, Connection = close
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTP server to redirect all 80 traffic to SSL/HTTPS
server {
listen 80;
server_name keycloak.fqdn.com;
# Tell all requests to port 80 to be 302 redirected to HTTPS
return 302 https://$host$request_uri;
}
# HTTPS server to handle JupyterHub
server {
listen 443 ssl;
server_name keycloak.fqdn.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
# set longer timeouts
proxy_read_timeout 300s;
proxy_connect_timeout 75s;
client_max_body_size 100m;
# Managing literal requests to the JupyterHub front end
location / {
proxy_pass http://keycloak:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# websocket headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment