Keycloak
1 前言
一个问题,一篇文章,一出故事。
之前的章节我们完成了RHBK的单节点代理,本章将要完成RHBK集群的代理。
以下章节包含RHBK代理的基础知识,如有需要请参阅,
2 最佳实践
2.1 部署环境
2.1.1 部署RHBK的集群
2.1.2 部署Nginx反向代理
2.2 RHBK服务配置
In rhbk0[1-2],
2.2.1 修改RHBK节点配置
vim /etc/keycloak/keycloak.conf
配置修改如下,
# Basic settings for running in production. Change accordingly before deploying the server. # Database db = mariadb db-username = keycloak db-password = keycloakpwd db-url = jdbc:mariadb://rhbkdb01.cmdschool.org:3306/keycloak?characterEncoding=UTF-8 # Observability health-enabled = true metrics-enabled = true # HTTP https-certificate-file = /etc/keycloak/wildcard.cmdschool.org.crt https-certificate-key-file = /etc/keycloak/wildcard.cmdschool.org.key # The proxy address forwarding mode if the server is behind a reverse proxy. proxy = reencrypt # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy #spi-sticky-session-encoder-infinispan-should-attach-route = false # Uncomment to disable route attachment to cookies # Hostname for the Keycloak server. #hostname = rhbk01.cmdschool.org hostname = https://websso.cmdschool.org hostname-admin=https://webssoadmin.cmdschool.org proxy-headers=xforwarded # Logging configuration log = console,file log-level = INFO,org.hibernate:debug,org.hibernate.hql.internal.ast:info log-file = /var/log/keycloak/keycloak.log log-file-size = 10MB log-file-count = 20 # Infinispan configuration cache-stack = jdbc-ping cache = ispn
2.2.2 重启服务使配置生效
systemctl restart keycloak.service systemctl status keycloak.service
2.3 配置RHBK代理
In Proxy,
2.3.1 创建前端代理配置
mkdir -p /etc/nginx/sso.conf.d/ vim /etc/nginx/sso.conf.d/websso.cmdschool.org_443_keycloak.conf
加入如下配置,
upstream websso.cmdschool.org_backend {
ip_hash;
server rhbk01.cmdschool.org:8443;
server rhbk02.cmdschool.org:8443;
}
server {
listen 443 ssl;
server_name websso.cmdschool.org;
include /etc/nginx/public/ssl_default.conf;
#...
location ~ ^/(js|realms|resources|robots.txt)/ {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass https://websso.cmdschool.org_backend;
proxy_set_header Host $host:$server_port;
}
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass https://websso.cmdschool.org_backend;
proxy_set_header Host $host:$server_port;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}
}
server {
listen 80;
server_name websso.cmdschool.org;
return 301 https://websso.cmdschool.org$request_uri;
}
2.3.2 创建管理端代理配置
mkdir -p /etc/nginx/sso.conf.d/ vim /etc/nginx/sso.conf.d/webssoadmin.cmdschool.org_443_keycloak.conf
加入如下配置,
server {
listen 443 ssl;
server_name webssoadmin.cmdschool.org;
include /etc/nginx/public/ssl_default.conf;
#...
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass https://websso.cmdschool.org_backend;
proxy_set_header Host $host:$server_port;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}
}
server {
listen 80;
server_name webssoadmin.cmdschool.org;
return 301 https://webssoadmin.cmdschool.org$request_uri;
}
2.3.3 引入配置
vim /etc/nginx/nginx.conf
加入如下配置,
#...
http {
#...
include /etc/nginx/sso.conf.d/*.conf;
}
#...
2.3.4 检查配置并重启使配置生效
nginx -t systemctl reload nginx systemctl status nginx
2.3.5 测试代理配置
https://websso.cmdschool.org
注:请注意使用Internet和Internal分别测试,以便验证是否只能interanl可以访问管理页面。
参阅文档
====================
https://www.keycloak.org/server/hostname
https://www.keycloak.org/server/reverseproxy
https://docs.redhat.com/zh-cn/documentation/red_hat_build_of_keycloak/22.0/html-single/server_guide/index#reverseproxy-
没有评论