Versions Compared
compared with
Key
- This line was added.
- This line was removed.
- Formatting was changed.
简介
Keycloak 是一款开源的身份验证程序,具备以下的特点:
- 影响最小的方式为应用程序添加身份验证
- 不存储用户数据和验证数据
- 提供用户联合、高强度认证、用户管理、细粒度授权等功能
创建数据库
使用的数据库是 postgresql,假设已经有安装好的 postgresql,并且默认管理员账号是 postgres,那么我们先创建 keycloak 的用户。数据库的详细操作可以参考:PGSQL 安装配置指南
| 代码块 |
|---|
su - postgres # 我们创建一个名为 keycloak 的 pgsql 用户和名为 keycloak 的数据库 createuser -s -P keycloak createdb keycloak -O keycloak |
docker-compose.yml
| 代码块 | ||
|---|---|---|
| ||
version: "3"
services:
postgres:
container_name: pgsql
image: postgres:15
ports:
- "5432:5432"
volumes:
- ./database-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready", "-U", "user"]
interval: 30s
timeout: 20s
retries: 3
environment:
POSTGRES_USER: 'keycloak'
POSTGRES_PASSWORD: '<pgsql数据库密码>'
POSTGRES_DB: 'keycloak'
TZ: Asia/Shanghai
keycloak:
image: quay.io/keycloak/keycloak:23.0
container_name: keycloak
environment:
KC_HOSTNAME: <域名,如sso.naizhao.com>
KC_HTTP_PORT: <监听的http端口,比如8080>
KC_HTTPS_PORT: <监听的http端口,比如8443>
KC_HOSTNAME_STRICT_HTTPS: true
KC_FEATURES: token-exchange
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://<pgsql的IP,比如127.0.0.1>:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: <前面创建pgsql账号时输入的密码>
KEYCLOAK_ADMIN: <管理员账号,比如admin>
KEYCLOAK_ADMIN_PASSWORD: <管理员密码>
KC_HEALTH_ENABLED: "true"
KC_LOG_LEVEL: info
KC_PROXY: edge
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:8080/health/ready" ]
interval: 15s
timeout: 2s
retries: 15
command: start
ports:
# 这里把8080端口映射到10080,8443映射到10443,防止和服务器上其他端口冲突
- 10080:8080
- 10443:8443 |
.env
| 代码块 | ||
|---|---|---|
| ||
KEYCLOAK_DIR=/data/keycloak IMAGE_TAG=latest POSTGRES_PASSWORD=3MFDCCIa5PnD9X6Kla7XePKwxhpVvfXK REDIS_PASSWORD=AvWQQF5KJMjX1jeipEKeGlPQZxjCLVnH SUBNET_PREFIX=172.22.224 |
keycload-compose.yml(24.0.1)
| 代码块 | ||
|---|---|---|
| ||
networks:
keycloak-net:
name: keycloak-net
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: keycloak-net
services:
postgres:
container_name: keycloak-postgres
restart: always
image: postgres:15.2
volumes:
- ${KEYCLOAK_DIR}/data/postgres:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
healthcheck:
test: ["CMD", "pg_isready", "-q", "-d", "keycloak", "-U", "keycloak"]
interval: 30s
timeout: 20s
retries: 3
environment:
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
- POSTGRES_DB=keycloak
networks:
keycloak-net:
ipv4_address: ${SUBNET_PREFIX}.2
cap_drop:
- net_raw
command: [postgres, -c, max_connections=200]
keycloak:
image: quay.io/keycloak/keycloak
container_name: keycloak
restart: always
volumes:
- /etc/localtime:/etc/localtime:ro
environment:
KC_HOSTNAME: key.waringid.me
KC_HTTP_PORT: 8080
KC_FEATURES: token-exchange
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: ${POSTGRES_PASSWORD:?postgres password required}
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password.com
KC_HEALTH_ENABLED: true
KC_DB_SCHEMA: public
KC_LOG_LEVEL: info
KC_PROXY: edge
KC_HOSTNAME_ADMIN_URL: 'https://key.waringid.me'
KC_HOSTNAME_PATH: /
KC_HOSTNAME_STRICT_HTTPS: false
KC_PROXY_ADDRESS_FORWARDING: true
KC_HOSTNAME_STRICT: false
KC_HOSTNAME_STRICT_BACKCHANNEL: true
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:8080/health/ready" ]
interval: 15s
timeout: 2s
retries: 15
command: start
ports:
- 10080:8080
depends_on:
- postgres
networks:
keycloak-net:
ipv4_address: ${SUBNET_PREFIX}.3
cap_drop:
- net_raw |
keycloak.yml(26.2.4)
| 代码块 | ||
|---|---|---|
| ||
networks:
keycloak-net:
name: keycloak-net
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: keycloak-net
services:
postgres:
container_name: keycloak-postgres
restart: always
image: postgres:15.2
volumes:
- ${KEYCLOAK_DIR}/data/postgres:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
healthcheck:
test: ["CMD", "pg_isready", "-q", "-d", "keycloak", "-U", "keycloak"]
interval: 30s
timeout: 20s
retries: 3
environment:
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
- POSTGRES_DB=keycloak
networks:
keycloak-net:
ipv4_address: ${SUBNET_PREFIX}.2
cap_drop:
- net_raw
command: [postgres, -c, max_connections=200]
keycloak:
image: quay.io/keycloak/keycloak
container_name: keycloak
restart: always
volumes:
- /etc/localtime:/etc/localtime:ro
environment:
KC_HOSTNAME: 'https://key.waringid.me'
KC_HTTP_PORT: 8080
KC_FEATURES: token-exchange
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: ${POSTGRES_PASSWORD:?postgres password required}
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
KC_HEALTH_ENABLED: true
KC_DB_SCHEMA: public
KC_LOG_LEVEL: info
#KC_PROXY: edge
KC_HOSTNAME_ADMIN: 'https://key.waringid.me'
KC_HOSTNAME_BACKCHANNEL_DYNAMIC: true
KC_PROXY_ADDRESS_FORWARDING: true
KC_HOSTNAME_STRICT: true
KC_HTTP_ENABLED: true
KC_PROXY_HEADERS: xforwarded
KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI: true
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:9000/health/ready" ]
interval: 15s
timeout: 2s
retries: 15
command: start
ports:
- 10080:8080
depends_on:
- postgres
networks:
keycloak-net:
ipv4_address: ${SUBNET_PREFIX}.3
cap_drop:
- net_raw |
keycloak.yml(IP 模式)
| 代码块 | ||
|---|---|---|
| ||
networks:
keycloak-net:
name: keycloak-net
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: keycloak-net
services:
postgres:
container_name: keycloak-postgres
restart: always
image: postgres:15.2
volumes:
- ${KEYCLOAK_DIR}/data/postgres:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
healthcheck:
test: ["CMD", "pg_isready", "-q", "-d", "keycloak", "-U", "keycloak"]
interval: 30s
timeout: 20s
retries: 3
environment:
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
- POSTGRES_DB=keycloak
networks:
keycloak-net:
ipv4_address: ${SUBNET_PREFIX}.2
cap_drop:
- net_raw
command: [postgres, -c, max_connections=200]
keycloak:
image: quay.io/keycloak/keycloak
container_name: keycloak
restart: always
volumes:
- /etc/localtime:/etc/localtime:ro
environment:
KC_HOSTNAME: 'http://192.168.182.52:8080'
KC_HTTP_PORT: 8080
#KC_FEATURES: token-exchange
KC_DB: postgres
KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: ${POSTGRES_PASSWORD:?postgres password required}
KC_BOOTSTRAP_ADMIN_USERNAME: admin
KC_BOOTSTRAP_ADMIN_PASSWORD: password
KC_HEALTH_ENABLED: true
KC_DB_SCHEMA: public
KC_LOG_LEVEL: info
KC_HOSTNAME_ADMIN: 'http://192.168.182.52:8080'
KC_HTTP_ENABLED: true
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:9000/health/ready" ]
interval: 15s
timeout: 2s
retries: 15
command: start
ports:
- 8080:8080
depends_on:
- postgres
networks:
keycloak-net:
ipv4_address: ${SUBNET_PREFIX}.3
cap_drop:
- net_raw |
常用维护
| 代码块 | ||
|---|---|---|
| ||
# 导出数据库文件
docker exec keycloak-postgres pg_dumpall -c -U keycloak > dump.sql
# 导入数据库文件
docker exec keycloak-postgres psql -U keycloak < dump.sql |
| 目录 |
|---|