modified: serv_nginx/docker-compose.yml
new file: serv_nginx/keycloak/.env.keycloak new file: serv_nginx/keycloak/realm-config/setup-realm.json modified: serv_nginx/nginx/nginx-ssl.conf revert to ald setting into nginx
This commit is contained in:
@@ -164,38 +164,39 @@ services:
|
||||
dockerfile: Dockerfile
|
||||
container_name: keycloak
|
||||
restart: unless-stopped
|
||||
env_file: ./keycloak/.env.keycloak
|
||||
environment:
|
||||
# Database configuration
|
||||
KC_DB: postgres
|
||||
KC_DB_URL: jdbc:postgresql://keycloak-db:5432/keycloak
|
||||
KC_DB_USERNAME: keycloak
|
||||
KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD:-keycloak}
|
||||
|
||||
|
||||
# Admin credentials
|
||||
KEYCLOAK_ADMIN: admin
|
||||
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
|
||||
|
||||
|
||||
# HTTP configuration
|
||||
KC_HTTP_ENABLED: true
|
||||
KC_HTTP_PORT: 8080
|
||||
KC_HTTP_RELATIVE_PATH: /auth
|
||||
|
||||
|
||||
# Hostname configuration
|
||||
KC_HOSTNAME: https://yalarba.ru
|
||||
KC_HOSTNAME_PATH: /auth
|
||||
KC_HOSTNAME_STRICT: true
|
||||
KC_HOSTNAME_STRICT_HTTPS: true
|
||||
KC_HOSTNAME_STRICT_BACKCHANNEL: false
|
||||
|
||||
|
||||
# Proxy configuration
|
||||
KC_PROXY: reencrypt
|
||||
|
||||
|
||||
# Health checks
|
||||
KC_HEALTH_ENABLED: true
|
||||
|
||||
|
||||
# Features
|
||||
KC_FEATURES: token-exchange,admin-fine-grained-authz
|
||||
|
||||
|
||||
# Java options
|
||||
JAVA_OPTS: "-Xms512m -Xmx1024m -Djava.net.preferIPv4Stack=true"
|
||||
volumes:
|
||||
@@ -211,6 +212,7 @@ services:
|
||||
image: postgres:15-alpine
|
||||
container_name: keycloak-db
|
||||
restart: unless-stopped
|
||||
env_file: ./keycloak/.env.keycloak
|
||||
environment:
|
||||
POSTGRES_DB: keycloak
|
||||
POSTGRES_USER: keycloak
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
# Keycloak
|
||||
KEYCLOAK_VERSION=24.0.4
|
||||
KEYCLOAK_USER=admin
|
||||
KEYCLOAK_PASSWORD=admin123
|
||||
KEYCLOAK_DB_USER=keycloak
|
||||
KEYCLOAK_DB_PASSWORD=keycloak123
|
||||
KEYCLOAK_DB_NAME=keycloak
|
||||
|
||||
# Database
|
||||
POSTGRES_VERSION=15
|
||||
POSTGRES_DB=keycloak
|
||||
POSTGRES_USER=keycloak
|
||||
POSTGRES_PASSWORD=keycloak123
|
||||
|
||||
# Domains
|
||||
KEYCLOAK_FRONTEND_URL=https://auth.yalarba.ru
|
||||
DOMAIN_YALARBA=yalarba.ru
|
||||
DOMAIN_BEGUSHIYBASHKIR=begushiybashkir.ru
|
||||
|
||||
# Internal
|
||||
KEYCLOAK_HTTP_PORT=8080
|
||||
KEYCLOAK_INTERNAL_PORT=8080
|
||||
@@ -0,0 +1,112 @@
|
||||
{
|
||||
"id": "master",
|
||||
"realm": "master",
|
||||
"displayName": "Yalarba & Begushiybashkir",
|
||||
"displayNameHtml": "<div class=\"kc-logo-text\"><span>Yalarba Auth</span></div>",
|
||||
"enabled": true,
|
||||
"sslRequired": "external",
|
||||
"registrationAllowed": false,
|
||||
"loginWithEmailAllowed": true,
|
||||
"duplicateEmailsAllowed": false,
|
||||
"resetPasswordAllowed": true,
|
||||
"editUsernameAllowed": false,
|
||||
"bruteForceProtected": true,
|
||||
"permanentLockout": false,
|
||||
"maxFailureWaitSeconds": 900,
|
||||
"minimumQuickLoginWaitSeconds": 60,
|
||||
"waitIncrementSeconds": 60,
|
||||
"quickLoginCheckMilliSeconds": 1000,
|
||||
"maxDeltaTimeSeconds": 43200,
|
||||
"failureFactor": 5,
|
||||
|
||||
"clients": [
|
||||
{
|
||||
"clientId": "yalarba-web",
|
||||
"name": "Yalarba.ru Web Application",
|
||||
"description": "Web application for yalarba.ru",
|
||||
"enabled": true,
|
||||
"protocol": "openid-connect",
|
||||
"publicClient": true,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": false,
|
||||
"rootUrl": "https://yalarba.ru",
|
||||
"baseUrl": "https://yalarba.ru",
|
||||
"redirectUris": [
|
||||
"https://yalarba.ru/*",
|
||||
"https://www.yalarba.ru/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://yalarba.ru",
|
||||
"https://www.yalarba.ru"
|
||||
],
|
||||
"attributes": {
|
||||
"oauth2.device.authorization.grant.enabled": "false",
|
||||
"backchannel.logout.revoke.offline_tokens": "false"
|
||||
}
|
||||
},
|
||||
{
|
||||
"clientId": "begushiybashkir-web",
|
||||
"name": "Begushiybashkir.ru Web Application",
|
||||
"description": "Web application for begushiybashkir.ru",
|
||||
"enabled": true,
|
||||
"protocol": "openid-connect",
|
||||
"publicClient": true,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": false,
|
||||
"rootUrl": "https://begushiybashkir.ru",
|
||||
"baseUrl": "https://begushiybashkir.ru",
|
||||
"redirectUris": [
|
||||
"https://begushiybashkir.ru/*",
|
||||
"https://www.begushiybashkir.ru/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://begushiybashkir.ru",
|
||||
"https://www.begushiybashkir.ru"
|
||||
],
|
||||
"attributes": {
|
||||
"oauth2.device.authorization.grant.enabled": "false",
|
||||
"backchannel.logout.revoke.offline_tokens": "false"
|
||||
}
|
||||
},
|
||||
{
|
||||
"clientId": "admin-cli",
|
||||
"name": "${client_admin-cli}",
|
||||
"enabled": true,
|
||||
"protocol": "openid-connect",
|
||||
"publicClient": false,
|
||||
"standardFlowEnabled": false,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": true
|
||||
}
|
||||
],
|
||||
|
||||
"users": [
|
||||
{
|
||||
"username": "superadmin",
|
||||
"email": "admin@yalarba.ru",
|
||||
"firstName": "Super",
|
||||
"lastName": "Admin",
|
||||
"enabled": true,
|
||||
"emailVerified": true,
|
||||
"credentials": [
|
||||
{
|
||||
"type": "password",
|
||||
"value": "SuperAdmin123!",
|
||||
"temporary": false
|
||||
}
|
||||
],
|
||||
"realmRoles": [
|
||||
"admin",
|
||||
"default-role-master"
|
||||
],
|
||||
"clientRoles": {
|
||||
"realm-management": [
|
||||
"realm-admin"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,16 +1,3 @@
|
||||
# Upstreams
|
||||
upstream keycloak_backend {
|
||||
server keycloak:8080;
|
||||
}
|
||||
|
||||
upstream api_backend {
|
||||
server api:8080;
|
||||
}
|
||||
|
||||
upstream api_bb_backend {
|
||||
server api_bb:8080;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name yalarba.ru www.yalarba.ru valitovgaziz.ru www.valitovgaziz.ru easysite102.ru www.easysite102.ru begushiybashkir.ru xn--80abahjtcfl5d0a8di.xn--p1ai;
|
||||
@@ -49,31 +36,6 @@ server {
|
||||
index index.html;
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
# Keycloak integration - исправленная конфигурация
|
||||
location /auth/ {
|
||||
proxy_pass http://keycloak_backend;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
|
||||
# Убрать trailing slash в proxy_pass
|
||||
proxy_pass http://keycloak_backend;
|
||||
|
||||
# Важные настройки для Keycloak
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
|
||||
# Таймауты
|
||||
proxy_connect_timeout 30s;
|
||||
proxy_send_timeout 30s;
|
||||
proxy_read_timeout 30s;
|
||||
}
|
||||
|
||||
# REST API
|
||||
location /api/ {
|
||||
proxy_pass http://api_backend/;
|
||||
@@ -141,6 +103,25 @@ server {
|
||||
index index.html;
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
proxy_pass http://api_bb_backend/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_connect_timeout 600;
|
||||
proxy_send_timeout 600;
|
||||
proxy_read_timeout 600;
|
||||
}
|
||||
|
||||
location /uploads/ {
|
||||
alias /uploads/;
|
||||
expires 1y;
|
||||
add_header Cache-Control "public, immutable";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
|
||||
Reference in New Issue
Block a user