modified: serv_nginx/.env
modified: serv_nginx/nginx/Dockerfile modified: serv_nginx/nginx/nginx-ssl.conf add new config new Dockerfile and nginx conf
This commit is contained in:
+3
-2
@@ -6,7 +6,8 @@ DOMAINS_valitovgaziz=valitovgaziz.ru,www.valitovgaziz.ru
|
||||
DOMAINS_easysite102=easysite102.ru,www.easysite102.ru
|
||||
DOMAINS_begushiybashkir=xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai
|
||||
DOMAINS_begushiybashkir_latin=begushiybashkir.ru,www.begushiybashkir.ru
|
||||
ALL_DOMAINS=yalarba.ru,www.yalarba.ru,valitovgaziz.ru,www.valitovgaziz.ru,easysite102.ru,www.easysite102.ru,begushiybashkir.ru,www.begushiybashkir.ru,xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai,auth.yalarba.ru
|
||||
ALL_DOMAINS=yalarba.ru,www.yalarba.ru,valitovgaziz.ru,www.valitovgaziz.ru,easysite102.ru,www.easysite102.ru,begushiybashkir.ru,www.begushiybashkir.ru,xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai
|
||||
|
||||
# keycloak
|
||||
KEYCLOAK_ADMIN_PASSWORD=your_secure_admin_password
|
||||
KEYCLOAK_ADMIN_PASSWORD=your_secure_password
|
||||
KEYCLOAK_DB_PASSWORD=your_secure_db_password
|
||||
+33
-21
@@ -1,28 +1,40 @@
|
||||
FROM nginx:alpine
|
||||
FROM quay.io/keycloak/keycloak:22.0.0 as builder
|
||||
|
||||
# Установка зависимостей
|
||||
RUN apk add --no-cache bash openssl
|
||||
# Enable health and metrics support
|
||||
ENV KC_HEALTH_ENABLED=true
|
||||
ENV KC_METRICS_ENABLED=true
|
||||
|
||||
# Создание директории для сертификатов
|
||||
RUN mkdir -p /etc/nginx/ssl
|
||||
# Configure a database vendor
|
||||
ENV KC_DB=postgres
|
||||
|
||||
# Генерация самоподписанных сертификатов (действительны 365 дней)
|
||||
RUN openssl req -x509 -nodes -days 365 \
|
||||
-newkey rsa:2048 \
|
||||
-keyout /etc/nginx/ssl/dummy.key \
|
||||
-out /etc/nginx/ssl/dummy.crt \
|
||||
-subj "/C=US/ST=State/L=City/O=Organization/CN=localhost"
|
||||
WORKDIR /opt/keycloak
|
||||
|
||||
# Копируем обе конфигурации
|
||||
COPY nginx-http.conf /etc/nginx/nginx-http.conf
|
||||
COPY nginx-ssl.conf /etc/nginx/nginx-ssl.conf
|
||||
# For demonstration purposes, please consider using proper certificates in production instead
|
||||
RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
|
||||
|
||||
# Создаем симлинк по умолчанию на HTTP конфиг
|
||||
RUN ln -sf /etc/nginx/nginx-http.conf /etc/nginx/conf.d/default.conf
|
||||
RUN /opt/keycloak/bin/kc.sh build
|
||||
|
||||
# Скрипт для проверки сертификатов и переключения конфига
|
||||
COPY switch-config.sh /docker-entrypoint.d/switch-config.sh
|
||||
RUN chmod +x /docker-entrypoint.d/switch-config.sh
|
||||
FROM quay.io/keycloak/keycloak:22.0.0
|
||||
COPY --from=builder /opt/keycloak/ /opt/keycloak/
|
||||
|
||||
# Создаем необходимые директории
|
||||
RUN mkdir -p /var/www/certbot
|
||||
# Change these values to point to a running postgres instance
|
||||
ENV KC_DB=postgres
|
||||
ENV KC_DB_URL_HOST=keycloak-db
|
||||
ENV KC_DB_URL_PORT=5432
|
||||
ENV KC_DB_URL_DATABASE=keycloak
|
||||
ENV KC_DB_USERNAME=keycloak
|
||||
ENV KC_DB_PASSWORD=keycloak
|
||||
|
||||
ENV KC_HOSTNAME=yalarba.ru
|
||||
ENV KC_HOSTNAME_STRICT=true
|
||||
ENV KC_HOSTNAME_STRICT_HTTPS=true
|
||||
ENV KC_HOSTNAME_PATH=/auth
|
||||
ENV KC_HTTP_ENABLED=true
|
||||
ENV KC_HTTP_PORT=8080
|
||||
ENV KC_HTTP_RELATIVE_PATH=/auth
|
||||
ENV KC_PROXY=edge
|
||||
|
||||
ENV KEYCLOAK_ADMIN=admin
|
||||
ENV KEYCLOAK_ADMIN_PASSWORD=admin
|
||||
|
||||
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
|
||||
@@ -22,7 +22,7 @@ server {
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
# ✅ Добавляем uploads и в HTTP редирект
|
||||
|
||||
location /uploads/ {
|
||||
alias /uploads/;
|
||||
expires 1y;
|
||||
@@ -33,7 +33,6 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
|
||||
listen 443 ssl;
|
||||
server_name yalarba.ru www.yalarba.ru;
|
||||
|
||||
@@ -51,9 +50,30 @@ server {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
# New location for REST API
|
||||
# Keycloak integration - исправленная конфигурация
|
||||
location /auth/ {
|
||||
proxy_pass http://keycloak_backend/auth/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
|
||||
# Важные настройки для Keycloak
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
|
||||
# Таймауты
|
||||
proxy_connect_timeout 30s;
|
||||
proxy_send_timeout 30s;
|
||||
proxy_read_timeout 30s;
|
||||
}
|
||||
|
||||
# REST API
|
||||
location /api/ {
|
||||
proxy_pass http://api/;
|
||||
proxy_pass http://api_backend/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@@ -63,21 +83,9 @@ server {
|
||||
proxy_send_timeout 600;
|
||||
proxy_read_timeout 600;
|
||||
}
|
||||
|
||||
# Keycloak integration
|
||||
location /auth/ {
|
||||
proxy_pass http://keycloak/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
# Остальные server блоки остаются без изменений...
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name valitovgaziz.ru www.valitovgaziz.ru;
|
||||
@@ -85,7 +93,6 @@ server {
|
||||
ssl_certificate /etc/letsencrypt/live/valitovgaziz.ru/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/valitovgaziz.ru/privkey.pem;
|
||||
|
||||
# Additional SSL settings
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
@@ -104,7 +111,6 @@ server {
|
||||
ssl_certificate /etc/letsencrypt/live/easysite102.ru/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/easysite102.ru/privkey.pem;
|
||||
|
||||
# Additional SSL settings
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
@@ -116,7 +122,6 @@ server {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name xn--80abahjtcfl5d0a8di.xn--p1ai www.xn--80abahjtcfl5d0a8di.xn--p1ai;
|
||||
@@ -124,7 +129,6 @@ server {
|
||||
ssl_certificate /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/privkey.pem;
|
||||
|
||||
# Additional SSL settings
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
@@ -143,7 +147,6 @@ server {
|
||||
ssl_certificate /etc/letsencrypt/live/begushiybashkir.ru/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/begushiybashkir.ru/privkey.pem;
|
||||
|
||||
# Additional SSL settings
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
@@ -154,9 +157,8 @@ server {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
# New location for REST API
|
||||
location /api/ {
|
||||
proxy_pass http://api_bb/;
|
||||
proxy_pass http://api_bb_backend/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@@ -172,5 +174,4 @@ server {
|
||||
expires 1y;
|
||||
add_header Cache-Control "public, immutable";
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user