config: keycloack TLS ingesteld

2025-04-07 19:15:39 +02:00 · 2025-04-07 19:15:39 +02:00 · 1bfb78a889
commit 1bfb78a889
parent dbc1da741c
1 changed files with 6 additions and 2 deletions
--- a/compose.production.yml
+++ b/compose.production.yml
@ -47,21 +47,25 @@ services:
            file: ./compose.yml
            service: idp
        # TODO Replace with proper production command
-        command: ['start-dev', '--http-port', '7080', '--https-port', '7443', '--import-realm']
+        command: ['start', '--http-port', '7080', '--https-port', '7443', '--import-realm']
        networks:
            - dwengo-1
        labels:
            - 'traefik.enable=true'
            - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)'
            - 'traefik.http.services.idp.loadbalancer.server.port=7080'
+            - "traefik.tcp.routers.idp.tls.passthrough=true"  # Keycloak expects TLS in production mode, so it can't be terminated by the reverse proxy
+        volumes:
+            - /etc/keycloak:/opt/keycloak/
        env_file:
            - ./config/idp/.env
        environment:
            KC_HOSTNAME: 'sel2-1.ugent.be'
            PROXY_ADDRESS_FORWARDING: 'true'
            KC_PROXY_HEADERS: 'xforwarded'
-            KC_HTTP_ENABLED: 'true'
            KC_HTTP_RELATIVE_PATH: '/idp'
+            KC_HTTPS_CERTIFICATE_FILE: '/opt/keycloak/cert.pem'
+            KC_HTTPS_CERTIFICATE_KEY_FILE: '/opt/keycloak/key.pem'

    reverse-proxy:
        image: traefik:v3.3