From de988a3d02fa2e28923e8254d7815977ac378950 Mon Sep 17 00:00:00 2001 From: valitovgaziz Date: Tue, 21 Oct 2025 06:23:46 +0500 Subject: [PATCH] modified: serv_nginx/.env modified: serv_nginx/nginx/Dockerfile modified: serv_nginx/nginx/nginx-ssl.conf add new config new Dockerfile and nginx conf --- serv_nginx/.env | 5 +-- serv_nginx/nginx/Dockerfile | 54 ++++++++++++++++++++------------- serv_nginx/nginx/nginx-ssl.conf | 53 ++++++++++++++++---------------- 3 files changed, 63 insertions(+), 49 deletions(-) diff --git a/serv_nginx/.env b/serv_nginx/.env index d141fc3..6386a8c 100644 --- a/serv_nginx/.env +++ b/serv_nginx/.env @@ -6,7 +6,8 @@ DOMAINS_valitovgaziz=valitovgaziz.ru,www.valitovgaziz.ru DOMAINS_easysite102=easysite102.ru,www.easysite102.ru DOMAINS_begushiybashkir=xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai DOMAINS_begushiybashkir_latin=begushiybashkir.ru,www.begushiybashkir.ru -ALL_DOMAINS=yalarba.ru,www.yalarba.ru,valitovgaziz.ru,www.valitovgaziz.ru,easysite102.ru,www.easysite102.ru,begushiybashkir.ru,www.begushiybashkir.ru,xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai,auth.yalarba.ru +ALL_DOMAINS=yalarba.ru,www.yalarba.ru,valitovgaziz.ru,www.valitovgaziz.ru,easysite102.ru,www.easysite102.ru,begushiybashkir.ru,www.begushiybashkir.ru,xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai + # keycloak -KEYCLOAK_ADMIN_PASSWORD=your_secure_admin_password +KEYCLOAK_ADMIN_PASSWORD=your_secure_password KEYCLOAK_DB_PASSWORD=your_secure_db_password \ No newline at end of file diff --git a/serv_nginx/nginx/Dockerfile b/serv_nginx/nginx/Dockerfile index debd912..f5c0067 100644 --- a/serv_nginx/nginx/Dockerfile +++ b/serv_nginx/nginx/Dockerfile @@ -1,28 +1,40 @@ -FROM nginx:alpine +FROM quay.io/keycloak/keycloak:22.0.0 as builder -# Установка зависимостей -RUN apk add --no-cache bash openssl +# Enable health and metrics support +ENV KC_HEALTH_ENABLED=true +ENV KC_METRICS_ENABLED=true -# Создание директории для сертификатов -RUN mkdir -p /etc/nginx/ssl +# Configure a database vendor +ENV KC_DB=postgres -# Генерация самоподписанных сертификатов (действительны 365 дней) -RUN openssl req -x509 -nodes -days 365 \ - -newkey rsa:2048 \ - -keyout /etc/nginx/ssl/dummy.key \ - -out /etc/nginx/ssl/dummy.crt \ - -subj "/C=US/ST=State/L=City/O=Organization/CN=localhost" +WORKDIR /opt/keycloak -# Копируем обе конфигурации -COPY nginx-http.conf /etc/nginx/nginx-http.conf -COPY nginx-ssl.conf /etc/nginx/nginx-ssl.conf +# For demonstration purposes, please consider using proper certificates in production instead +RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore -# Создаем симлинк по умолчанию на HTTP конфиг -RUN ln -sf /etc/nginx/nginx-http.conf /etc/nginx/conf.d/default.conf +RUN /opt/keycloak/bin/kc.sh build -# Скрипт для проверки сертификатов и переключения конфига -COPY switch-config.sh /docker-entrypoint.d/switch-config.sh -RUN chmod +x /docker-entrypoint.d/switch-config.sh +FROM quay.io/keycloak/keycloak:22.0.0 +COPY --from=builder /opt/keycloak/ /opt/keycloak/ -# Создаем необходимые директории -RUN mkdir -p /var/www/certbot \ No newline at end of file +# Change these values to point to a running postgres instance +ENV KC_DB=postgres +ENV KC_DB_URL_HOST=keycloak-db +ENV KC_DB_URL_PORT=5432 +ENV KC_DB_URL_DATABASE=keycloak +ENV KC_DB_USERNAME=keycloak +ENV KC_DB_PASSWORD=keycloak + +ENV KC_HOSTNAME=yalarba.ru +ENV KC_HOSTNAME_STRICT=true +ENV KC_HOSTNAME_STRICT_HTTPS=true +ENV KC_HOSTNAME_PATH=/auth +ENV KC_HTTP_ENABLED=true +ENV KC_HTTP_PORT=8080 +ENV KC_HTTP_RELATIVE_PATH=/auth +ENV KC_PROXY=edge + +ENV KEYCLOAK_ADMIN=admin +ENV KEYCLOAK_ADMIN_PASSWORD=admin + +ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] \ No newline at end of file diff --git a/serv_nginx/nginx/nginx-ssl.conf b/serv_nginx/nginx/nginx-ssl.conf index 01617a5..5649c8e 100644 --- a/serv_nginx/nginx/nginx-ssl.conf +++ b/serv_nginx/nginx/nginx-ssl.conf @@ -22,7 +22,7 @@ server { location / { return 301 https://$host$request_uri; } - # ✅ Добавляем uploads и в HTTP редирект + location /uploads/ { alias /uploads/; expires 1y; @@ -33,7 +33,6 @@ server { } server { - listen 443 ssl; server_name yalarba.ru www.yalarba.ru; @@ -51,9 +50,30 @@ server { try_files $uri $uri/ /index.html; } - # New location for REST API + # Keycloak integration - исправленная конфигурация + location /auth/ { + proxy_pass http://keycloak_backend/auth/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # Важные настройки для Keycloak + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + + # Таймауты + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + } + + # REST API location /api/ { - proxy_pass http://api/; + proxy_pass http://api_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -63,21 +83,9 @@ server { proxy_send_timeout 600; proxy_read_timeout 600; } - - # Keycloak integration - location /auth/ { - proxy_pass http://keycloak/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - } - - } - +# Остальные server блоки остаются без изменений... server { listen 443 ssl; server_name valitovgaziz.ru www.valitovgaziz.ru; @@ -85,7 +93,6 @@ server { ssl_certificate /etc/letsencrypt/live/valitovgaziz.ru/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/valitovgaziz.ru/privkey.pem; - # Additional SSL settings ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; @@ -104,7 +111,6 @@ server { ssl_certificate /etc/letsencrypt/live/easysite102.ru/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/easysite102.ru/privkey.pem; - # Additional SSL settings ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; @@ -116,7 +122,6 @@ server { } } - server { listen 443 ssl; server_name xn--80abahjtcfl5d0a8di.xn--p1ai www.xn--80abahjtcfl5d0a8di.xn--p1ai; @@ -124,7 +129,6 @@ server { ssl_certificate /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/privkey.pem; - # Additional SSL settings ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; @@ -143,7 +147,6 @@ server { ssl_certificate /etc/letsencrypt/live/begushiybashkir.ru/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/begushiybashkir.ru/privkey.pem; - # Additional SSL settings ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; @@ -154,9 +157,8 @@ server { try_files $uri $uri/ /index.html; } - # New location for REST API location /api/ { - proxy_pass http://api_bb/; + proxy_pass http://api_bb_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -172,5 +174,4 @@ server { expires 1y; add_header Cache-Control "public, immutable"; } - -} +} \ No newline at end of file