Setting Up Keycloak Linux Server
Hierbij alle stappen die nodig zijn om een keycloak ubuntu server vanaf scratch in the richten:
voor actuele versies en downloads
Installing java
sudo apt-get install default-jdk -y
Installing keycloak
cd ~ wget https://github.com/keycloak/keycloak/releases/download/23.0.3/keycloak-23.0.3.tar.gz tar -xvzf keycloak-23.0.3.tar.gz sudo mv keycloak-23.0.3 /opt/keycloak sudo groupadd keycloak sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak sudo chown -R keycloak: /opt/keycloak sudo chmod o+x /opt/keycloak/bin/
install ngix
sudo apt install nginx
Configuring keycloak: (Let op! DB password is verwijderd. Dit moet aangepast worden)
sudo /opt/keycloak/conf/keycloak.conf
# Basic settings for running in production. Change accordingly before deploying the server. # Database # The database vendor. db=mssql # The username of the database user. db-username=keycloakuser # The password of the database user. db-password=******************* # The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor. db-url=jdbc:sqlserver://dotnet.linux.lead.nl;trustServerCertificate=true # Observability # If the server should expose healthcheck endpoints. health-enabled=true # If the server should expose metrics endpoints. #metrics-enabled=true # The proxy address forwarding mode if the server is behind a reverse proxy. proxy=edge # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy #spi-sticky-session-encoder-infinispan-should-attach-route=false http-port=8080 # Hostname for the Keycloak server. hostname=identity.lead.nl transaction-xa-enabled=false
configuring nginx
sudo vi /etc/nginx/conf.d/keycloak.conf
server {
if ($host = identity.lead.nl) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name identity.lead.nl;
return 301 https://$host$request_uri; # Redirect all HTTP to HTTPS
}
server {
# SSL configuration
listen 443 ssl http2;
server_name identity.lead.nl;
ssl_certificate /etc/letsencrypt/live/identity.lead.nl/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/identity.lead.nl/privkey.pem; # managed by Certbot
location / {
proxy_pass http://localhost:8080; # Adjust if Keycloak is on a different server
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Automatisch opstarten
nginx
sudo systemctl enable nginx sudo systemctl start nginx
keycloak
(WIJZIGING SINDS V25: '--proxy-headers xforwarded' is vereist achter start commando indien achter reverse proxy
sudo nano /var/systemd/system/keycloak.service
[Unit] Description=Keycloak Server After=network.target [Service] ExecStart=/opt/keycloak/bin/kc.sh start --proxy-headers xforwarded User=keycloak Restart=always RestartSec=60 [Install] WantedBy=multi-user.target
sudo systemctl daemon-reload sudo systemctl enable keycloak sudo systemctl start keycloak
First time password.
Als je Keycloak voor de eerste keer start moet het admin password gezet worden.
Dit gaat normaal gesproken via localhost, maar zonder GUI is dat niet te doen.
Door een klein scriptje te draaien kun je Keycloak opstarten met een zelf gedefinieerd admin password:
Als keycloak nog niet via de daemon gestart is, kunnen de systemctl commando's weggelaten worden.
export KEYCLOAK_ADMIN=<username> export KEYCLOAK_ADMIN_PASSWORD=<password> sudo systemctl disable keycloak sudo systemctl stop keycloak /opt/keycloak/bin/kc.sh start-dev
Als alles werkt dan weer
sudo systemctl enable keycloak sudo systemctl start keycloak
- Last Author
- hans
- Last Edited
- Oct 25 2024, 12:10 PM