wiki

User Tools

Site Tools

Trace: release_management
iam_production_deployment_guide

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
iam_production_deployment_guide [2026/02/18 08:31] – [4. Create & Encrypt Secrets] pradnyaiam_production_deployment_guide [2026/02/26 12:47] (current) – [cPanel's userdata include] pradnya
Line 119: Line 119:
 Secrets: Secrets:
  
-<code>db_password: StrongDBPass@2026!\\ +<code> 
-admin_password: StrongAdminPass@2026!\\+db_password: StrongDBPass@2026! 
 +admin_password: StrongAdminPass@2026!
  
 </code> </code>
Line 162: Line 163:
 <code> <code>
 services: services:
-postgres: +  postgres: 
-  image: postgres:16 +    image: postgres:16 
-  container_name: keycloak_db +    container_name: keycloak_db 
-  environment: +    environment: 
-    POSTGRES_DB: keycloak +      POSTGRES_DB: keycloak 
-    POSTGRES_USER: keycloak_user +      POSTGRES_USER: keycloak_user 
-    POSTGRES_PASSWORD_FILE: /run/secrets/db_password +      POSTGRES_PASSWORD_FILE: /run/secrets/db_password 
-  volumes: +    volumes: 
-    - /opt/cotrav/iam/data/postgres:/var/lib/postgresql/data:+      - /opt/cotrav/iam/data/postgres:/var/lib/postgresql/data:
-    - /dev/shm/iam-secrets/db_password:/run/secrets/db_password:ro,+      - /dev/shm/iam-secrets/db_password:/run/secrets/db_password:ro,
-  healthcheck: +    healthcheck: 
-    test: ["CMD-SHELL", "pg_isready -U keycloak_user -d keycloak"+      test: ["CMD-SHELL", "pg_isready -U keycloak_user -d keycloak"
-    interval: 5s +      interval: 5s 
-  networks: +    networks: 
-    - iam_network+      - iam_network
  
-keycloak: +  keycloak: 
-  image: quay.io/keycloak/keycloak:26 +    image: quay.io/keycloak/keycloak:26.1.0 
-  container_name: keycloak_app +    container_name: keycloak_app 
-  command: start +    command: start 
-  ports: +    ports: 
-    - "8080:8080" +      - "8080:8080" 
-  environment: +    environment: 
-    KC_DB: postgres +      KC_DB: postgres 
-    KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak +      KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak 
-    KC_DB_USERNAME: keycloak_user +      KC_DB_USERNAME: keycloak_user 
-    KC_DB_PASSWORD_FILE: /run/secrets/db_password +      KC_DB_PASSWORD_FILE: /run/secrets/db_password 
-    KC_BOOTSTRAP_ADMIN_USERNAME: admin +      KC_BOOTSTRAP_ADMIN_USERNAME: admin 
-    KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: /run/secrets/admin_password +      KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: /run/secrets/admin_password 
-    KC_HTTP_ENABLED: "true" +      KC_HTTP_ENABLED: "true" 
-  volumes: +    volumes: 
-    - /dev/shm/iam-secrets/db_password:/run/secrets/db_password:ro,+      - /dev/shm/iam-secrets/db_password:/run/secrets/db_password:ro,
-    - /dev/shm/iam-secrets/admin_password:/run/secrets/admin_password:ro,+      - /dev/shm/iam-secrets/admin_password:/run/secrets/admin_password:ro,
-    - /opt/cotrav/iam/logs:/opt/keycloak/data/log:+      - /opt/cotrav/iam/logs:/opt/keycloak/data/log:
-  depends_on: +    depends_on: 
-    postgres: +      postgres: 
-      condition: service_healthy +        condition: service_healthy 
-  networks: +    networks: 
-    - iam_network+      - iam_network
  
 networks: networks:
-iam_network: +  iam_network: 
-  driver: bridge+    driver: bridge
  
 </code> </code>
 +
  
 ===== 6. Create Secure start-iam.sh ===== ===== 6. Create Secure start-iam.sh =====
Line 304: Line 306:
 docker exec keycloak_db \ docker exec keycloak_db \
   pg_dump -U keycloak_user keycloak \   pg_dump -U keycloak_user keycloak \
- > /opt/travsetup/iam/keycloak-backups/keycloak-$DATE.sql+> /opt/travsetup/iam/keycloak-backups/keycloak-$DATE.sql
  
 </code> </code>
Line 328: Line 330:
  
 </code> </code>
 +
 +===== Proxy through NGINX - Droplet FIX =====
 +
 +To resolve on browser error "We are sorry… HTTPS required"
 +
 +**Step 1: Install Nginx on Alma Linux**
 +
 +bash
 +
 +<code>
 +dnf install -y nginx
 +systemctl enable --now nginx
 +
 +</code>
 +
 +**Step 2: Generate a self-signed certificate**
 +
 +bash
 +
 +<code>
 +mkdir -p /etc/nginx/ssl
 +openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
 +  -keyout /etc/nginx/ssl/keycloak.key \
 +  -out /etc/nginx/ssl/keycloak.crt \
 +  -subj "/CN=64.227.190.56"
 +
 +</code>
 +
 +**Step 3: Create Nginx config for Keycloak**
 +
 +bash
 +
 +<code>
 +nano /etc/nginx/conf.d/keycloak.conf
 +
 +</code>
 +
 +<code>
 +server {
 +  listen 443 ssl;
 +  server_name 64.227.190.56;
 +
 +  ssl_certificate     /etc/nginx/ssl/keycloak.crt;
 +  ssl_certificate_key /etc/nginx/ssl/keycloak.key;
 +
 +  # Security headers
 +  add_header Strict-Transport-Security "max-age=31536000" always;
 +  add_header X-Frame-Options SAMEORIGIN;
 +  add_header X-Content-Type-Options nosniff;
 +
 +  location / {
 +      proxy_pass http://localhost:8080;
 +      proxy_set_header Host $host;
 +      proxy_set_header X-Real-IP $remote_addr;
 +      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +      proxy_set_header X-Forwarded-Proto $scheme;
 +      proxy_buffer_size 128k;
 +      proxy_buffers 4 256k;
 +      proxy_busy_buffers_size 256k;
 +  }
 +}
 +
 +server {
 +  listen 80;
 +  server_name 64.227.190.56;
 +  return 301 https://$host$request_uri;
 +}
 +
 +</code>
 +
 +Modified docker-compose.yml as follows
 +
 +<code>
 +keycloak:
 +image: quay.io/keycloak/keycloak:26.1.0
 +container_name: keycloak_app
 +command: start
 +ports:
 +  - "8080:8080"
 +environment:
 +  KC_DB: postgres
 +  KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
 +  KC_DB_USERNAME: keycloak_user
 +  KC_DB_PASSWORD:
 +  KC_BOOTSTRAP_ADMIN_USERNAME: admin
 +  KC_BOOTSTRAP_ADMIN_PASSWORD:
 +  KC_HTTP_ENABLED: "true"
 +  KC_HTTP_PORT: "8080"
 +  KC_PROXY_HEADERS: xforwarded
 +  KC_HOSTNAME: "https://64.227.190.56"
 +  KC_HOSTNAME_STRICT: "false"
 +
 +</code>
 +
 +Start NginX
 +
 +<code>
 +systemctl restart nginx
 +
 +</code>
 +
 +Check/Configure Firewall rules for URL as follows
 +
 +**Configure Inbound Rules**
 +
 +Add these inbound rules:
 +
 +^Type^Protocol^Port^Sources|
 +|HTTP|TCP|80|All IPv4, All IPv6|
 +|HTTPS|TCP|443|All IPv4, All IPv6|
 +|SSH|TCP|22| \\ All IPv4, All IPv6|
 +
 +Allow Nginx to connect to local ports
 +<code>
 +
 + setsebool -P httpd_can_network_connect 1
 +
 +#or
 +
 +setenforce 1
 +
 +</code>
 +
 +Stop docker and NginX and start again.
 +
 +===== cPanel's userdata include =====
 +
 +**Step 1: Create the userdata directories**
 +
 +bash
 +
 +<code>
 +mkdir -p /etc/apache2/conf.d/userdata/std/2_4/ctapi/kcloak.ctapi.in/
 +mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/ctapi/kcloak.ctapi.in/
 +
 +</code>
 +
 +**Step 2: Create HTTP proxy config**
 +
 +bash
 +
 +<code>
 +nano /etc/apache2/conf.d/userdata/std/2_4/ctapi/kcloak.ctapi.in/proxy.conf
 +
 +</code>
 +
 +Add:
 +
 +<code>
 +RewriteEngine On RewriteRule ^(.*)$ https://kcloak.ctapi.in$1 [R=301,L]<code>
 +
 +**Step 3: Create HTTPS proxy config**
 +
 +bash
 +
 +<code>nano /etc/apache2/conf.d/userdata/ssl/2_4/ctapi/kcloak.ctapi.in/proxy.conf
 +
 +</code>
 +
 +Add:
 +
 +<code>
 +ProxyPreserveHost On\
 +ProxyPass / http://127.0.0.1:8080/\
 +ProxyPassReverse / http://127.0.0.1:8080/\
 +RequestHeader set X-Forwarded-Proto "https"\
 +RequestHeader set X-Forwarded-Port "443"
 +
 +</code>
 +
 +**Step 4: Rebuild Apache config and restart**
 +
 +bash
 +
 +<code>
 +/scripts/rebuildhttpdconf
 +httpd -t
 +systemctl restart httpd
 +
 +</code>
 +
 +Then test:
 +
 +bash
 +
 +<code>
 +curl -I https://kcloak.ctapi.in
 +
 +</code>
 +
 +Expected result:
 +
 +<code>
 +curl -I [[https://kcloak.ctapi.in/|https://kcloak.ctapi.in]]
 +
 +HTTP/1.1 302 Found Date: Thu, 26 Feb 2026 11:22:25 GMT
 +
 +Server: Apache
 +
 +Location: [[https://kcloak.ctapi.in/admin/|https://kcloak.ctapi.in/admin/]]
 +
 +Referrer-Policy: no-referrer
 +
 +Strict-Transport-Security: max-age=31536000; includeSubDomains
 +
 +X-Content-Type-Options: nosniff
 +
 +X-XSS-Protection: 1;
 +
 +mode=block
 +
 +</code>
 +
 +Check for **Location: https://kcloak.ctapi.in/admin/|https://kcloak.ctapi.in/admin/**
 +
 +This is poining to correct directory and not apache direcoty with cgi folder.
  
  
iam_production_deployment_guide.1771403504.txt.gz · Last modified: by pradnya