我无法让Keycloak和Nginx在同一个Docker网络中工作:
事件顺序:
2020/04/13 09:58:38 [error] 7#7: *19 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.0.2, server: localhost, request: "GET /auth/realms/bizmkc/protocol/openid-connect/auth?client_id=bizmapp&redirect_uri=https%3A%2F%2Flocalhost%2Flogin&state=26ce2075-8099-4960-83e8-508e40c585f3&response_mode=fragment&response_type=code&scope=openid&nonce=b57ca43a-ed93-48ab-9c96-591cd6378de9 HTTP/1.1", upstream: "https://127.0.0.1:9443/auth/realms/bizmkc/protocol/openid-connect/auth?client_id=bizmapp&redirect_uri=https%3A%2F%2Flocalhost%2Flogin&state=26ce2075-8099-4960-83e8-508e40c585f3&response_mode=fragment&response_type=code&scope=openid&nonce=b57ca43a-ed93-48ab-9c96-591cd6378de9", host: "localhost", referrer: "https://localhost/login"
2020/04/13 09:58:38 [error] 7#7: *19 open() "/usr/local/nginx/html/50x.html" failed (2: No such file or directory), client: 10.0.0.2, server: localhost, request: "GET /auth/realms/bizmkc/protocol/openid-connect/auth?client_id=bizmapp&redirect_uri=https%3A%2F%2Flocalhost%2Flogin&state=26ce2075-8099-4960-83e8-508e40c585f3&response_mode=fragment&response_type=code&scope=openid&nonce=b57ca43a-ed93-48ab-9c96-591cd6378de9 HTTP/1.1", upstream: "https://127.0.0.1:9443/auth/realms/bizmkc/protocol/openid-connect/auth?client_id=bizmapp&redirect_uri=https%3A%2F%2Flocalhost%2Flogin&state=26ce2075-8099-4960-83e8-508e40c585f3&response_mode=fragment&response_type=code&scope=openid&nonce=b57ca43a-ed93-48ab-9c96-591cd6378de9", host: "localhost", referrer: "https://localhost/login"
https://localhost/auth/realms/bizmkc/protocol/openid-connect/auth?client_id=bizmapp&redirect_uri=<redirecxt_uri>&state=26ce2075-8099-4960-83e8-508e40c585f3&response_mode=fragment&response_type=code&scope=openid&nonce=b57ca43a-ed93-48ab-9c96-591cd6378de9 correctly takes me to the Keycloak realm login page.
我不知道为什么端口的URL重定向在Docker网络中不起作用。
我的nginx.conf文件
# nginx.vh.default.conf -- docker-openresty
#
# This file is installed to:
# `/etc/nginx/conf.d/default.conf`
#
# It tracks the `server` section of the upstream OpenResty's `nginx.conf`.
#
# This config (and any other configs in `etc/nginx/conf.d/`) is loaded by
# default by the `include` directive in `/usr/local/openresty/nginx/conf/nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#
# log if only it's a new user with no cookie. From https://www.nginx.com/blog/sampling-requests-with-nginx-conditional-logging/
map $cookie_SESSION $logme {
"" 1;
default 0;
}
server {
listen 80; #listen for all the HTTP requests
server_name localhost;
# return 301 https://localhost;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name localhost; # same server name as port 80 is fine
ssl_certificate /etc/nginx/ssldir/ssl.crt;
ssl_certificate_key /etc/nginx/ssldir/ssl.key;
charset utf-8;
# log a user only one time. If cookie is null, it's a new user
access_log /var/log/nginx/access.log combined if=$logme;
error_log /var/log/nginx/error.log debug;
# Optional: If the application does not generate a session cookie, we
# generate our own
add_header Set-Cookie SESSION=1;
# MUST USE TRAILING HASH IN https://localhost:9443/ AND IT WILL NOT ADD BIZAUTH ****important
# Default keycloak configuration points to CONTECT auth in standalone/configuration/standalone.xml. So use auth
location /auth {
proxy_redirect off;
proxy_pass https://localhost:9443;
proxy_read_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
root /usr/local/nginx/html;
index index.html index.htm;
# following is needed for angular pathlocation strategy
try_files $uri $uri/ /index.html;
}
location /mpi {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
# client_max_body_size 10m;
# client_body_buffer_size 128k;
# proxy_connect_timeout 90;
# proxy_send_timeout 90;
# proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass http://localhost:8080;
}
location /npi {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass http://localhost:8080;
}
location /tilla/ {
proxy_pass https://www.google.com/;
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root /usr/local/openresty/nginx/html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# On error pages, this will prevent showing version number
#server_tokens off;
}
keycloak-nginx.yaml
version: '3.7'
networks:
nginx:
name: nginx
services:
nginx:
image: nginx:1.17.7-alpine
domainname: localhost
ports:
- "80:80"
- "443:443"
networks:
nginx:
network_mode: host
volumes:
- ./nginx/conf.d:/etc/nginx/conf.d
- ./nginx/logs:/var/log/nginx
- ./nginx/html:/usr/local/nginx/html
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- ./nginx/ssldir:/etc/nginx/ssldir:ro
keycloak:
image: jboss/keycloak:8.0.1
domainname: localhost
ports:
- "9443:8443"
networks:
nginx:
volumes:
# - ${USERDIR}/keycloak/config.json:/config.json
- /mnt/disks/vol1/kcthemes:/opt/jboss/keycloak/themes
#- /mnt/disks/vol1/ssldir:/etc/x509/https
environment:
# https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/setup-oidc-provider/
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=aaaa
# - KEYCLOAK_IMPORT=/config.json
- DB_VENDOR=postgres
- DB_DATABASE=keycloak
- DB_ADDR=keycloak-db
- DB_USER=keycloak
- DB_PASSWORD=myuberpassword
# This is required to run keycloak behind traefik
- PROXY_ADDRESS_FORWARDING=true
- KEYCLOAK_HOSTNAME=localhost
# Tell Postgress what user/password to create
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=myuberpassword
- ROOT_LOGLEVEL=DEBUG
- KEYCLOAK_LOGLEVEL=DEBUG
restart: "no"
depends_on:
- keycloak-db
# https://hub.docker.com/_/postgres
keycloak-db:
image: postgres:12.1-alpine
ports:
- target: 5432
published: 5432
networks:
nginx:
volumes:
- ./kc_db:/var/lib/postgresql/data
environment:
- DB_VENDOR=postgres
- DB_DATABASE=keycloak
- DB_ADDR=keycloak-db
- DB_USER=keycloak
- DB_PASSWORD=.
# This is required to run keycloak behind traefik
- KEYCLOAK_HOSTNAME=localhost
# Tell Postgress what user/password to create
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=myuberpassword
restart: "no"
keycloak-db-backup:
image: postgres
networks:
nginx:
volumes:
- ${USERDIR}/keycloak/database-dump:/dump
environment:
- PGHOST=keycloak-db
- PGUSER=keycloak
- PGPASSWORD=myuberpassword
- BACKUP_NUM_KEEP=7
- BACKUP_FREQUENCY=1d
entrypoint: |
bash -c 'bash -s <<EOF
trap "break;exit" SIGHUP SIGINT SIGTERM
sleep 2m
while /bin/true; do
pg_dump -Fc > /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql
(ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {}
sleep $$BACKUP_FREQUENCY
done
EOF'
restart: "no"
depends_on:
- nginx
用于运行此命令docker stack deploy -c keycloak-nginx.yaml kc
码头工人信息
Client:
Debug Mode: false
Server:
Containers: 5
Running: 3
Paused: 0
Stopped: 2
Images: 20
Server Version: 19.03.6
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: active
NodeID: pusagcsjon73mkvjxn2wx9bkz
Is Manager: true
ClusterID: ibxcgupiut3apyhwyn78anycj
Managers: 1
Nodes: 1
Default Address Pool: 10.0.0.0/8
SubnetSize: 24
Data Path Port: 4789
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 192.168.0.145
Manager Addresses:
192.168.0.145:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version:
runc version:
init version:
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-96-generic
Operating System: Linux Mint 19.1
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 31.28GiB
Name: Yogi-Linux
ID: YTU6:VKGZ:42ED:QJNQ:34RU:IWAU:L5UL:PJP2:2FJG:FYZC:FRUC:6XNB
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
localhost:32000
127.0.0.0/8
Live Restore Enabled: false
localhost不同,因此:domainname,KEYCLOAK_HOSTNAME)localhost)进行代理传递/ auth代理 proxy_pass https://keycloak:9443;
OR:运行OS网络名称空间中的所有容器(
--net=host,但通常不建议这样做,然后容器中的localhost将与您的OSlocalhost相同。