├── .gitignore
├── LICENSE
├── README.MD
├── add-cert-to-java-truststore.sh
├── docker-compose.yml
├── keycloak-nginx.yml
├── keycloak-nginx
├── .gitignore
├── Dockerfile
├── certs
│ ├── identity.keycloak.tom.cert
│ └── identity.keycloak.tom.key
├── conf.d
│ ├── default.conf
│ └── upstream.conf
└── nginx.conf
├── keycloak-postgres.yml
├── keycloak-server.yml
└── keycloak-server
├── cli-scripts
├── add-corvus-registration.cli
├── add-corvus-theme.cli
└── default-webapp.cli
├── drop-ins
└── .gitkeep
└── user
└── keycloak-add-user.json
/.gitignore:
--------------------------------------------------------------------------------
1 | *.iml
2 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2016 Tomislav
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.MD:
--------------------------------------------------------------------------------
1 | # Keycloak 2.4.0.Final - docker and docker-compose
2 |
3 | This is `docker-compose` setup for [Keycloak](http://www.keycloak.org/) server configured with [postgres database](https://www.postgresql.org/), with [nginx https termination](https://www.nginx.com/) and [lightweight mail server](https://mailcatcher.me/).
4 |
5 |
6 | ## Used docker images
7 |
8 | * [keycloak-postgres, 2.4.0.Final](https://hub.docker.com/r/jboss/keycloak-postgres/)
9 | * [postgres, 9.5](https://hub.docker.com/_/postgres/)
10 | * [nginx configuration for https termination](https://github.com/anvilresearch/nginx), borrowed from anvilreserach and customized for Keycloak
11 | * [mailcatcher](https://hub.docker.com/r/schickling/mailcatcher/)
12 |
13 | ## Usage
14 |
15 | * Clone this repository and run `docker-compose up`
16 | * In separate shell, run `./add-cert-to-java-truststore.sh`. Fix script for your local java setup, idea is to put custom (self-signed) certificate into java `cacerts`
17 | * Add to your `/etc/hosts` file record for `identity.keycloak.tom` referencing `127.0.0.1`
18 | * `127.0.0.1 identity.keycloak.tom`
19 |
20 |
21 | ## Testing
22 |
23 | * point your browser to [https://identity.keycloak.tom](https://identity.keycloak.tom)
24 | * accept insecure site, or add ./keycloak-nginx/certs/identity.keycloak.tom.cert to browser's truststore
25 |
26 | ## Admin account
27 | * default admin account added to Keycloak is:
28 | * Username: **admin**
29 | * Password: **password**
30 |
31 |
32 | ### Modifications on Keycloak configuration
33 |
34 | * in `standalone.xml`, I've modified 2 lines:
35 | * line 410: ``````
36 | * This modification tells Keycloak to pull the client’s IP address from the X-Forwarded-For header since it's behind nginx.
37 | * line 412: ``````
38 | * This modification deploys Keycloak as default application on root path (context)
39 |
40 |
41 | ### Tested on
42 | * `cat /etc/os-release`:
43 | ```
44 | NAME=Fedora
45 | VERSION="23 (Twenty Three)"
46 | ID=fedora
47 | VERSION_ID=23
48 | PRETTY_NAME="Fedora 23 (Twenty Three)"
49 | ANSI_COLOR="0;34"
50 | CPE_NAME="cpe:/o:fedoraproject:fedora:23"
51 | HOME_URL="https://fedoraproject.org/"
52 | BUG_REPORT_URL="https://bugzilla.redhat.com/"
53 | REDHAT_BUGZILLA_PRODUCT="Fedora"
54 | REDHAT_BUGZILLA_PRODUCT_VERSION=23
55 | REDHAT_SUPPORT_PRODUCT="Fedora"
56 | REDHAT_SUPPORT_PRODUCT_VERSION=23
57 | PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
58 | ```
59 | * `uname -a`: Linux xxx.XXX 4.8.10-100.fc23.x86_64 #1 SMP Mon Nov 21 20:37:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
60 | * `docker --version`: Docker version 1.12.3, build 6b644ec
61 | * `docker-compose --version`: docker-compose version 1.8.1, build 878cff1
62 |
63 |
--------------------------------------------------------------------------------
/add-cert-to-java-truststore.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | JAVA_JDK=${JAVA_HOME:-/usr/java/default}
3 | echo "Java path: ${JAVA_JDK}"
4 |
5 | sudo ${JAVA_JDK}/jre/bin/keytool \
6 | -import -trustcacerts \
7 | -alias "identity.keycloak.tom" -file ./keycloak-nginx/certs/identity.keycloak.tom.cert \
8 | -keystore ${JAVA_JDK}/jre/lib/security/cacerts \
9 | -storepass changeit \
10 | -noprompt
11 |
--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '2'
2 | services:
3 | keycloak-server:
4 | extends:
5 | file: keycloak-server.yml
6 | service: keycloak-server
7 | links:
8 | - keycloak-mailcatcher:mailcatcher
9 | external_links:
10 | - keycloak-postgresql:postgresql
11 | volumes:
12 | - ./keycloak-server:/keycloak-server
13 | keycloak-postgresql:
14 | extends:
15 | file: keycloak-postgres.yml
16 | service: keycloak-postgresql
17 | keycloak-nginx:
18 | extends:
19 | file: keycloak-nginx.yml
20 | service: keycloak-nginx
21 | external_links:
22 | - keycloak-server:keycloak
23 | keycloak-mailcatcher:
24 | image: schickling/mailcatcher
25 | ports:
26 | - 1080:1080
27 |
--------------------------------------------------------------------------------
/keycloak-nginx.yml:
--------------------------------------------------------------------------------
1 | version: '2'
2 | services:
3 | keycloak-nginx:
4 | container_name: keycloak-nginx
5 | build: keycloak-nginx
6 | external_links:
7 | - keycloak-server:keycloak
8 | volumes:
9 | - ./keycloak-nginx/conf.d:/etc/nginx/conf.d:ro
10 | - ./keycloak-nginx/certs:/etc/nginx/certs:ro
11 | - ./keycloak-nginx/logs:/var/log/nginx
12 | ports:
13 | - "80:80"
14 | - "443:443"
15 | restart: unless-stopped
16 | keycloak-server:
17 | extends:
18 | file: keycloak-server.yml
19 | service: keycloak-server
--------------------------------------------------------------------------------
/keycloak-nginx/.gitignore:
--------------------------------------------------------------------------------
1 | logs/*
--------------------------------------------------------------------------------
/keycloak-nginx/Dockerfile:
--------------------------------------------------------------------------------
1 | #
2 | # Nginx Dockerfile
3 | #
4 | # https://github.com/anvilresearch/nginx
5 | #
6 |
7 | # Pull base image.
8 | FROM alpine:3.2
9 |
10 | # Maintainer
11 | MAINTAINER Anvil Research, Inc.
12 |
13 | # Version
14 | ENV NGINX_VERSION 1.8.0
15 | ENV NGINX_VERSION_RELEASE -r1
16 |
17 | # Install nginx
18 | RUN apk update && \
19 | apk add --update nginx && \
20 | rm -rf /var/cache/apk/*
21 |
22 | # Copy main config file
23 | COPY nginx.conf /etc/nginx/nginx.conf
24 |
25 | # Define mountable directories.
26 | VOLUME ["/etc/nginx/sites-enabled", "/etc/nginx/certs", "/etc/nginx/conf.d", "/var/log/nginx", "/var/www/html"]
27 |
28 | # Define working directory.
29 | WORKDIR /etc/nginx
30 |
31 | # Define default command.
32 | CMD ["nginx"]
33 |
34 | # Expose ports.
35 | EXPOSE 443
36 |
--------------------------------------------------------------------------------
/keycloak-nginx/certs/identity.keycloak.tom.cert:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIGMzCCBBugAwIBAgIJAOKtDuH1IiGwMA0GCSqGSIb3DQEBCwUAMIGvMQswCQYD
3 | VQQGEwJIUjEQMA4GA1UECAwHQ3JvYXRpYTEPMA0GA1UEBwwGWmFncmViMRwwGgYD
4 | VQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRIwEAYDVQQLDAllZHVjYXRpb24xHjAc
5 | BgNVBAMMFWlkZW50aXR5LmtleWNsb2FrLnRvbTErMCkGCSqGSIb3DQEJARYcdG9t
6 | aXNsYXYucmFqYWtvdmljQGdtYWlsLmNvbTAeFw0xNjEyMDUxMDAxNTVaFw0yNjEy
7 | MDMxMDAxNTVaMIGvMQswCQYDVQQGEwJIUjEQMA4GA1UECAwHQ3JvYXRpYTEPMA0G
8 | A1UEBwwGWmFncmViMRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRIwEAYD
9 | VQQLDAllZHVjYXRpb24xHjAcBgNVBAMMFWlkZW50aXR5LmtleWNsb2FrLnRvbTEr
10 | MCkGCSqGSIb3DQEJARYcdG9taXNsYXYucmFqYWtvdmljQGdtYWlsLmNvbTCCAiIw
11 | DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALqYVm0PJKHlmZz02qrdjmLQOKnt
12 | GYrcxU6ZAGePVSo+6v0kSEYcFKPhPTrch0ki5BSeOhbYoTnmNF9N7FIg+XA2M0Wa
13 | NkmZf0jzVLse50te6fr1+dqtOY2MMZUjidJXGcLIlOG5zbdlsvJIEHw7yuYknuHo
14 | IZ+QTb/QFBy4G6MPyByU2aqfKSdHFWC2txnomVG8OTGBAovd+KHz8NTe3L9nYk6/
15 | nQvoPfUeTi7iA7Sd4v8CCWVFPe15OsD+jKOqxEllptnwMSU+Z3KhmL1qSfCjo1+z
16 | V8BNjtgGLaTgU+WR1A6XBAqurbg4bEW/hYeOGfSTIiHCP7+t+MXGprPcJ193T7YX
17 | puKsH/RiF+aooyP6+a2wqYLu1sF3MWIeiZGnfL5Il5dgEsfrjvJvZfc3ZySv0rex
18 | e7X0JEYE23Km4w23Mt8Ps8BzY3qZDBZWXhveVWqg1/Io07Vt0TTdjAW7xZTES1ca
19 | 3aA3zT8lDEnsIUbRl+EJb8twJywzhuA6s6p0s7cOIn311pMF078EyCBbtqiUb4/o
20 | Dr7bFTstTIKvEefmN/NKH2EdghaLiKgDtDn99o07BAXzmSjzimPOksv+jvC/nZoQ
21 | kVwvQePG3mNG/lnKq1Ylz9uZmDH4K+S+9gfIVmSu1vMcBOSLiOYOq7KnYrF0ydE5
22 | 19G03xuAL0w/gTfpAgMBAAGjUDBOMB0GA1UdDgQWBBTJXrYVS1V/hrGXWiPNfjEy
23 | bigqzTAfBgNVHSMEGDAWgBTJXrYVS1V/hrGXWiPNfjEybigqzTAMBgNVHRMEBTAD
24 | AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBU3vpGLtM6e24vRMu/5tdhqsgiI/+pxWoN
25 | /zSsnU7FCO4PqLr7nRLKFhe6GrzKQeSYseqTth7/pGE50pZ8Kow1lgvQ/mChqKhF
26 | 1owjblCVIg//ZOJgHKp2WkK2cnE8q3lApidDxH3Rcp5KajInaim6gXHQ1H+L0Rpe
27 | V5nwIGnOMez22asA0JASV/q/JII7o+GkUtlYKHpjpeLZcXvaad3iAvFj49limHvc
28 | Q8GjdxIn4HO7HD29qHElvsR5zKj+gvaLKLt160HoP+zN9LuuzXKgSAfErIeI5+wv
29 | JodInTxglvdFqYGbJqpmlrM7OLi2J/srpGKvSozVeRmEhiCA/2m68krX46vztPQW
30 | 0YWxla6vy4FCEbVbP9G4Q1k8cs5lheUVXh1+sNXDx1bfKUIEK6d7shUlSrp9wYPm
31 | LplUDaJKueralZBJhL8zAGmWo4Eerd2Q3+MoCihAL7eTK7VoOZvc5SuuCz0ELGTa
32 | 5XlvV4adKcmsdvbKMeofndCSTHhRu2PnSwEx+wHOjZyH5IPesl1GkoLjnhv19Yp8
33 | PjLaVQPwubvvst6dNQ2BfkKu42tgEyrkMNMZuImKwQhOzjeyr2ZVz6G0fCrlrEpu
34 | kl58SZA83wY2WvnXcF8k2RFAr/0+SFm4JjYy/Q1dOrhy7yhgRDl3VTdTqb4GZYRk
35 | knBoRJBiag==
36 | -----END CERTIFICATE-----
37 |
--------------------------------------------------------------------------------
/keycloak-nginx/certs/identity.keycloak.tom.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIJKAIBAAKCAgEAuphWbQ8koeWZnPTaqt2OYtA4qe0ZitzFTpkAZ49VKj7q/SRI
3 | RhwUo+E9OtyHSSLkFJ46FtihOeY0X03sUiD5cDYzRZo2SZl/SPNUux7nS17p+vX5
4 | 2q05jYwxlSOJ0lcZwsiU4bnNt2Wy8kgQfDvK5iSe4eghn5BNv9AUHLgbow/IHJTZ
5 | qp8pJ0cVYLa3GeiZUbw5MYECi934ofPw1N7cv2diTr+dC+g99R5OLuIDtJ3i/wIJ
6 | ZUU97Xk6wP6Mo6rESWWm2fAxJT5ncqGYvWpJ8KOjX7NXwE2O2AYtpOBT5ZHUDpcE
7 | Cq6tuDhsRb+Fh44Z9JMiIcI/v634xcams9wnX3dPthem4qwf9GIX5qijI/r5rbCp
8 | gu7WwXcxYh6Jkad8vkiXl2ASx+uO8m9l9zdnJK/St7F7tfQkRgTbcqbjDbcy3w+z
9 | wHNjepkMFlZeG95VaqDX8ijTtW3RNN2MBbvFlMRLVxrdoDfNPyUMSewhRtGX4Qlv
10 | y3AnLDOG4DqzqnSztw4iffXWkwXTvwTIIFu2qJRvj+gOvtsVOy1Mgq8R5+Y380of
11 | YR2CFouIqAO0Of32jTsEBfOZKPOKY86Sy/6O8L+dmhCRXC9B48beY0b+WcqrViXP
12 | 25mYMfgr5L72B8hWZK7W8xwE5IuI5g6rsqdisXTJ0TnX0bTfG4AvTD+BN+kCAwEA
13 | AQKCAgEAsWYRjN//wNfLwphbqGS5cSJrLMqZJRcdkssNwmdX3bExsfejqtwZl3CV
14 | yPdOu26rjxqbOYs9RRGiqxUnXzGwVEmDV2H0yOZhSBbncHtCBLs5Enp2z7su427s
15 | 2NCPwGVEvZX7TdtbREgw5/0xhxtFnKYmU7pg9RW5hWorJN64j796TgoKIxfshUYk
16 | ge1UiRJFaZrceT8hD566Oib0yT0Ue/irUxkDEwX6mab1R8djJH2TCUSDcD9zT+mY
17 | vVGEnjnFIc694adk4fbBXQ9baoG5yEmbEmosPEzASIsfLAiGWtTY2gIjOpC14lXq
18 | QimCpsynyolzwsqt1utsf4OMi6T73DvC8kZDX5ozJSyWxZFR7KJcDUva2tKwb3dH
19 | CZ54HPRbYR6h62UEUZenoF9eODRqqwnaTR5tMz90mL1Ft09Y7JZQEVfL14HOG+Kk
20 | ORKuJdKvgdkOThX9VI6z/pRy6Yh1KYx+lfT44LKEefAh2eXIDTQIMt0DAk1SmKxf
21 | RJlwP6eAxcLln0pbboJqUZ9c7TqFYoX7e6jLeRXyy/GauXNbrRkPA14KXh49pFD0
22 | ItFzJTnSMAFWSk4fnb+OK1KvcEoaMKKFD/fCFWOvDp3GoH8ptHbRxmp/IDyXI90N
23 | 115YTGT2k2NgVergqnNdk5gxowm3NbSCoILQU723MLS/00dE2/0CggEBAOn8wEcB
24 | O0Zh5AdiKZP0F9PKIhLCFd+Ga9bF7d3wpErXPR3ruFCGY7LtO+/gdpQwEAZCkeO6
25 | 4Abc+S41Z3F48mXXUUL28Ar5DnFPE1f1g3JpVpUWlkjT0OGaESSv9u9XeXJIUemt
26 | 6IhkOr6Q8O1az/6MFXmbG8u+qrwxJLDI2KVbbEgSCrKXhqgk3XDv4lYJ2jea6cMT
27 | RQ/6b5EV3brrc+Si9jAQ0obQYyb1gaLTmFIJsnhsNscXxPheSjrO36GGUV6f06dp
28 | s8GAe1pOw4e6cwCFMFbnSBAl6DxJzrIZm7ZMImzsyPn8831j8lwBk3QUfjKVLA1o
29 | 1LFpKWn/SLCszrcCggEBAMwmNlyVDBDuk+YwEN98kHB3KDhGZk+lhfujhY1Lm7EL
30 | uP7YBe7sKIv3oSlnsyfGNpPSluFJ7GDOpt9oDbodrE3f+FjICrlTWGKfo83Z6CWw
31 | 5x13nIlL3UAkCX6ZuiufFhubrT1BGT+bppnAOss0BbpzJ1t2RXKdjp9O/YaFHvbB
32 | /biBBwtGV35yTn77jdPViQwsSOBI1ra2t2TRP/t84KUj4gqv9kbv8fDq4SpJFXu5
33 | eNTeAwP8YnfrqwAtmlsb3VjoGpP1gbWcSe4ZRriQKhZ5oZK31gdpw8YCF1CggZhF
34 | YaK+ysT4kMjSjFttjPd3LKg4COfyTcce7h0jJCoBjl8CggEAW+OXewr/xTciPsgM
35 | /f6I8PJbiTRRNLPsW67lKBid3IpEhSCSBIWSV60UsbJbvvxU/rBb7Kvx2KAk90Gf
36 | uw89WkNBtWOWhyihxFvCg/N1yJOXnfr9z+HnEQHZI6g6+GlI11mRWYyjWhTKgRYY
37 | l43nStamhFgmhU/+auN9vjNR6TZLAs6bBuG8zwGTOQvrvdAms1mR3bsOjyTRdY+5
38 | wPNAUxSwS9X/Z1Qk7CLT4ybnlagbP3F33Z33C3az/f5KEnvWLqvjicZYAnC7gI6X
39 | +RB+o0Cq6CXxxe2tEygFFSo7XU7u4gnnL01oLeD3R6ySxK5blO/CGg4GIRnkWq0X
40 | VdK3ZwKCAQBIyR78p09kAgvNODnr1HeTAYjfd4omv3cjnsuQ8vIRj4JnqhGDe8OB
41 | E8rr/kML3Um8LosIy9hxM3yfjnPGdannIgFjdf8M0EBk+VHnpNd2CLp98RVohhne
42 | MnsIHjsYLmItebWsbzdXTGF70+Oia2vXbBMOMv7TvIULG5ici33csJGLZMVkKbIs
43 | LQj7kSih7DIumuNow8952W9NjKVpPr7BYifHc7E03Xu/T57z+pakRB5mlrkwhJ1+
44 | 8BFJwPiVnzut5SMEubWDULOzJmPmjc/Tr44Bx3WRsw3P3RL+9hr+dU44PhoBXDYS
45 | w66zMj3eRSkw2LmkKOm+IrL2xH6yU1e1AoIBAEnZlnxBrD6riIKP4VC+/K6c4jbs
46 | PEMtdnRiU6QR0jtHSSyZqD32htUkFRBBafQ9cn3jSMW5fsfhUzo7zbxW7BrbuhRz
47 | yFK1uLlMr2LYoqGZBk70CA5xtpN7STiZJgmTd1/fwmec3b2oA3YJI1kIiDds6yGi
48 | d56hblAKgWmAFE1k9g1ubV2SD07twpwHEwQjHYl58aUDp4ZpXDg8kZCSvzyxsaea
49 | 42R1XLzqe53s6gZ6pL5N64IGc9qptx2AiQm2SWxBKUcFKEDVPC6lEc594+rFEn1H
50 | U9blKJpcUMDDdurg1l+ttDPsEtu7NmJgmBlg4cnoP4Ye9nK9XTzSzZV1UjI=
51 | -----END RSA PRIVATE KEY-----
52 |
--------------------------------------------------------------------------------
/keycloak-nginx/conf.d/default.conf:
--------------------------------------------------------------------------------
1 |
2 | proxy_cache_path /var/www/cache levels=1:2 keys_zone=backcache:8m max_size=1000m inactive=600m;
3 | proxy_temp_path /var/www/cache/tmp;
4 |
5 |
6 | server {
7 | listen *:80;
8 | server_name identity.keycloak.tom;
9 | return 301 https://$server_name$request_uri;
10 | }
11 |
12 | server {
13 |
14 | listen *:443;
15 | server_name identity.keycloak.tom;
16 |
17 | # Set up SSL
18 | ssl on;
19 |
20 | ssl_session_cache shared:SSL:1m;
21 | ssl_session_timeout 5m;
22 |
23 | ssl_certificate /etc/nginx/certs/identity.keycloak.tom.cert;
24 | ssl_certificate_key /etc/nginx/certs/identity.keycloak.tom.key;
25 |
26 | # Settings to avoid SSL warnings in browser
27 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
28 | ssl_prefer_server_ciphers on;
29 | ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
30 |
31 |
32 | # Logging
33 | access_log /var/log/nginx/identity.access.log; # could also put these into 1 file
34 | error_log /var/log/nginx/identity.error.log;
35 |
36 |
37 | # Allow empty bodies
38 | client_max_body_size 0;
39 |
40 | # Reverse proxy to Keycloak
41 | location / {
42 |
43 | proxy_pass http://keycloak;
44 |
45 | proxy_buffering off;
46 | proxy_set_header Host $http_host;
47 | proxy_set_header X-Real-IP $remote_addr;
48 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
49 | proxy_set_header X-Forwarded-Proto $scheme;
50 |
51 | proxy_cookie_domain identity.keycloak.tom $host;
52 | proxy_pass_header X-XSRF-TOKEN;
53 |
54 |
55 | # untested, but taken from https://gist.github.com/nikmartin/5902176#file-nginx-ssl-conf-L25
56 | # and seems useful
57 | proxy_set_header X-NginX-Proxy true;
58 | proxy_read_timeout 5m;
59 | proxy_connect_timeout 5m;
60 |
61 | proxy_redirect off;
62 |
63 | # Static files
64 | # location ~* .+\.(ico|jpe?g|gif|css|js|flv|png|swf)$ {
65 | # # http context
66 | # proxy_cache backcache;
67 | # proxy_buffering on;
68 | # proxy_cache_min_uses 1;
69 | # proxy_ignore_headers Cache-Control;
70 | # proxy_cache_use_stale updating;
71 | # #proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args";
72 | # proxy_cache_valid 200 302 60m;
73 | # proxy_cache_valid 404 1m;
74 | #
75 | # #rewrite ^(.*)$ /openid-connect-server-webapp$1 break;
76 | # proxy_pass http://keycloak;
77 | # }
78 | }
79 |
80 |
81 | }
82 |
--------------------------------------------------------------------------------
/keycloak-nginx/conf.d/upstream.conf:
--------------------------------------------------------------------------------
1 | upstream keycloak {
2 | server keycloak:8080;
3 | # ... add other IP:PORT combinations here if desired
4 | }
5 |
--------------------------------------------------------------------------------
/keycloak-nginx/nginx.conf:
--------------------------------------------------------------------------------
1 | daemon off;
2 |
3 | user nginx;
4 | worker_processes 1;
5 |
6 | error_log /var/log/nginx/error.log warn;
7 | pid /var/run/nginx.pid;
8 |
9 |
10 | events {
11 | worker_connections 1024;
12 | }
13 |
14 |
15 | http {
16 | include /etc/nginx/mime.types;
17 | default_type application/octet-stream;
18 |
19 | log_format main '$remote_addr - $remote_user [$time_local] "$request" '
20 | '$status $body_bytes_sent "$http_referer" '
21 | '"$http_user_agent" "$http_x_forwarded_for"';
22 |
23 | access_log /var/log/nginx/access.log main;
24 |
25 | sendfile off;
26 | #tcp_nopush on;
27 |
28 | keepalive_timeout 65;
29 |
30 | #gzip on;
31 |
32 | include /etc/nginx/conf.d/*.conf;
33 | }
34 |
--------------------------------------------------------------------------------
/keycloak-postgres.yml:
--------------------------------------------------------------------------------
1 | version: '2'
2 | services:
3 | keycloak-postgresql:
4 | container_name: keycloak-postgresql
5 | image: postgres:9.5
6 | volumes:
7 | - ./keycloak-postgres-sql:/docker-entrypoint-initdb.d
8 | environment:
9 | - POSTGRES_DB=keycloak
10 | - POSTGRES_USER=keycloak
11 | - POSTGRES_PASSWORD=password
12 | - POSTGRES_ROOT_PASSWORD=root_password
13 | ports:
14 | - 54320:5432
15 | restart: unless-stopped
--------------------------------------------------------------------------------
/keycloak-server.yml:
--------------------------------------------------------------------------------
1 | version: '2'
2 | services:
3 | keycloak-server:
4 | container_name: keycloak-server
5 | image: jboss/keycloak-postgres:2.5.0.Final
6 | external_links:
7 | - keycloak-postgresql:postgres
8 | environment:
9 | - POSTGRES_DATABASE=keycloak
10 | - POSTGRES_USER=keycloak
11 | - POSTGRES_PASSWORD=password
12 | #jboss is using legacy linking environment variables
13 | - POSTGRES_PORT_5432_TCP_ADDR=postgres
14 | - POSTGRES_PORT_5432_TCP_PORT=5432
15 | ports:
16 | - 10090:8080
17 | volumes:
18 | - ./keycloak-server/user/keycloak-add-user.json:/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json
19 | - ./keycloak-server/cli-scripts:/cli-scripts
20 | - ./keycloak-server/drop-ins:/drop-ins
21 | restart: unless-stopped
22 | keycloak-postgresql:
23 | extends:
24 | file: keycloak-postgres.yml
25 | service: keycloak-postgresql
--------------------------------------------------------------------------------
/keycloak-server/cli-scripts/add-corvus-registration.cli:
--------------------------------------------------------------------------------
1 | /subsystem=keycloak-server/:write-attribute(name=providers,value=["classpath:${jboss.home.dir}/providers/*","module:hr.corvus.cps.keycloak.registration-corvus"])
--------------------------------------------------------------------------------
/keycloak-server/cli-scripts/add-corvus-theme.cli:
--------------------------------------------------------------------------------
1 | /subsystem=keycloak-server/theme=defaults/:write-attribute(name=modules,value=["hr.corvus.cps.keycloak.theme-corvus"])
--------------------------------------------------------------------------------
/keycloak-server/cli-scripts/default-webapp.cli:
--------------------------------------------------------------------------------
1 | /subsystem=undertow/server=default-server/host=default-host/:write-attribute(name=default-web-module,value=keycloak-server.war)
2 | /subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=proxy-address-forwarding,value=true)
3 | /subsystem=undertow/server=default-server/host=default-host/location=\//:undefine-attribute(name=handler)
--------------------------------------------------------------------------------
/keycloak-server/drop-ins/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/trajakovic/keycloak-docker-compose/da1b67bd9cd573b3ed32f1da2820dc19746567cb/keycloak-server/drop-ins/.gitkeep
--------------------------------------------------------------------------------
/keycloak-server/user/keycloak-add-user.json:
--------------------------------------------------------------------------------
1 | [ {
2 | "realm" : "master",
3 | "users" : [ {
4 | "username" : "admin",
5 | "enabled" : true,
6 | "credentials" : [ {
7 | "type" : "password",
8 | "hashedSaltedValue" : "LGh8qJfjBAU5Se4DicHuookjkHCr9fSO6H1P+OX9hwiztHU59Rn+XRsqZ79SfKcd2nWYZ3c2B78d38Eiyvfl0g==",
9 | "salt" : "4jFIVfCG7r0cb6/Dg2npMw==",
10 | "hashIterations" : 100000,
11 | "algorithm" : "pbkdf2"
12 | } ],
13 | "realmRoles" : [ "admin" ]
14 | } ]
15 | } ]
--------------------------------------------------------------------------------