Differences

This shows you the differences between two versions of the page.

--- iam_production_deployment_guide [2026/02/18 08:32] – [4. Create & Encrypt Secrets] pradnya
+++ iam_production_deployment_guide [2026/02/26 12:47] (current) – [cPanel's userdata include] pradnya
@@ Line 163: / Line 163: @@
 <code>
 services:
-postgres:
+  postgres:
-  image: postgres:16
+    image: postgres:16
-  container_name: keycloak_db
+    container_name: keycloak_db
-  environment:
+    environment:
-    POSTGRES_DB: keycloak
+      POSTGRES_DB: keycloak
-    POSTGRES_USER: keycloak_user
+      POSTGRES_USER: keycloak_user
-    POSTGRES_PASSWORD_FILE: /run/secrets/db_password
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
-  volumes:
+    volumes:
-    - /opt/cotrav/iam/data/postgres:/var/lib/postgresql/data:Z
+      - /opt/cotrav/iam/data/postgres:/var/lib/postgresql/data:Z
-    - /dev/shm/iam-secrets/db_password:/run/secrets/db_password:ro,Z
+      - /dev/shm/iam-secrets/db_password:/run/secrets/db_password:ro,Z
-  healthcheck:
+    healthcheck:
-    test: ["CMD-SHELL", "pg_isready -U keycloak_user -d keycloak"]
+      test: ["CMD-SHELL", "pg_isready -U keycloak_user -d keycloak"]
-    interval: 5s
+      interval: 5s
-  networks:
+    networks:
-    - iam_network
+      - iam_network
-keycloak:
+  keycloak:
-  image: quay.io/keycloak/keycloak:26
+    image: quay.io/keycloak/keycloak:26.1.0
-  container_name: keycloak_app
+    container_name: keycloak_app
-  command: start
+    command: start
-  ports:
+    ports:
-    - "8080:8080"
+      - "8080:8080"
-  environment:
+    environment:
-    KC_DB: postgres
+      KC_DB: postgres
-    KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
+      KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
-    KC_DB_USERNAME: keycloak_user
+      KC_DB_USERNAME: keycloak_user
-    KC_DB_PASSWORD_FILE: /run/secrets/db_password
+      KC_DB_PASSWORD_FILE: /run/secrets/db_password
-    KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
-    KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: /run/secrets/admin_password
+      KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: /run/secrets/admin_password
-    KC_HTTP_ENABLED: "true"
+      KC_HTTP_ENABLED: "true"
-  volumes:
+    volumes:
-    - /dev/shm/iam-secrets/db_password:/run/secrets/db_password:ro,Z
+      - /dev/shm/iam-secrets/db_password:/run/secrets/db_password:ro,Z
-    - /dev/shm/iam-secrets/admin_password:/run/secrets/admin_password:ro,Z
+      - /dev/shm/iam-secrets/admin_password:/run/secrets/admin_password:ro,Z
-    - /opt/cotrav/iam/logs:/opt/keycloak/data/log:Z
+      - /opt/cotrav/iam/logs:/opt/keycloak/data/log:Z
-  depends_on:
+    depends_on:
-    postgres:
+      postgres:
-      condition: service_healthy
+        condition: service_healthy
-  networks:
+    networks:
-    - iam_network
+      - iam_network
 networks:
-iam_network:
+  iam_network:
-  driver: bridge
+    driver: bridge
 </code>
 ===== 6. Create Secure start-iam.sh =====
@@ Line 305: / Line 306: @@
 docker exec keycloak_db \
   pg_dump -U keycloak_user keycloak \
- > /opt/travsetup/iam/keycloak-backups/keycloak-$DATE.sql
+> /opt/travsetup/iam/keycloak-backups/keycloak-$DATE.sql
 </code>
@@ Line 329: / Line 330: @@
 </code>
+===== Proxy through NGINX - Droplet FIX =====
+To resolve on browser error "We are sorry… HTTPS required"
+**Step 1: Install Nginx on Alma Linux**
+bash
+<code>
+dnf install -y nginx
+systemctl enable --now nginx
+</code>
+**Step 2: Generate a self-signed certificate**
+bash
+<code>
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+  -keyout /etc/nginx/ssl/keycloak.key \
+  -out /etc/nginx/ssl/keycloak.crt \
+  -subj "/CN=64.227.190.56"
+</code>
+**Step 3: Create Nginx config for Keycloak**
+bash
+<code>
+nano /etc/nginx/conf.d/keycloak.conf
+</code>
+<code>
+server {
+  listen 443 ssl;
+  server_name 64.227.190.56;
+  ssl_certificate     /etc/nginx/ssl/keycloak.crt;
+  ssl_certificate_key /etc/nginx/ssl/keycloak.key;
+  # Security headers
+  add_header Strict-Transport-Security "max-age=31536000" always;
+  add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Content-Type-Options nosniff;
+  location / {
+      proxy_pass http://localhost:8080;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_buffer_size 128k;
+      proxy_buffers 4 256k;
+      proxy_busy_buffers_size 256k;
+  }
+}
+server {
+  listen 80;
+  server_name 64.227.190.56;
+  return 301 https://$host$request_uri;
+}
+</code>
+Modified docker-compose.yml as follows
+<code>
+keycloak:
+image: quay.io/keycloak/keycloak:26.1.0
+container_name: keycloak_app
+command: start
+ports:
+  - "8080:8080"
+environment:
+  KC_DB: postgres
+  KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
+  KC_DB_USERNAME: keycloak_user
+  KC_DB_PASSWORD:
+  KC_BOOTSTRAP_ADMIN_USERNAME: admin
+  KC_BOOTSTRAP_ADMIN_PASSWORD:
+  KC_HTTP_ENABLED: "true"
+  KC_HTTP_PORT: "8080"
+  KC_PROXY_HEADERS: xforwarded
+  KC_HOSTNAME: "https://64.227.190.56"
+  KC_HOSTNAME_STRICT: "false"
+</code>
+Start NginX
+<code>
+systemctl restart nginx
+</code>
+Check/Configure Firewall rules for URL as follows
+**Configure Inbound Rules**
+Add these inbound rules:
+^Type^Protocol^Port^Sources|
+|HTTP|TCP|80|All IPv4, All IPv6|
+|HTTPS|TCP|443|All IPv4, All IPv6|
+|SSH|TCP|22| \\ All IPv4, All IPv6|
+Allow Nginx to connect to local ports
+<code>
+ setsebool -P httpd_can_network_connect 1
+#or
+setenforce 1
+</code>
+Stop docker and NginX and start again.
+===== cPanel's userdata include =====
+**Step 1: Create the userdata directories**
+bash
+<code>
+mkdir -p /etc/apache2/conf.d/userdata/std/2_4/ctapi/kcloak.ctapi.in/
+mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/ctapi/kcloak.ctapi.in/
+</code>
+**Step 2: Create HTTP proxy config**
+bash
+<code>
+nano /etc/apache2/conf.d/userdata/std/2_4/ctapi/kcloak.ctapi.in/proxy.conf
+</code>
+Add:
+<code>
+RewriteEngine On RewriteRule ^(.*)$ https://kcloak.ctapi.in$1 [R=301,L]<code>
+**Step 3: Create HTTPS proxy config**
+bash
+<code>nano /etc/apache2/conf.d/userdata/ssl/2_4/ctapi/kcloak.ctapi.in/proxy.conf
+</code>
+Add:
+<code>
+ProxyPreserveHost On\
+ProxyPass / http://127.0.0.1:8080/\
+ProxyPassReverse / http://127.0.0.1:8080/\
+RequestHeader set X-Forwarded-Proto "https"\
+RequestHeader set X-Forwarded-Port "443"
+</code>
+**Step 4: Rebuild Apache config and restart**
+bash
+<code>
+/scripts/rebuildhttpdconf
+httpd -t
+systemctl restart httpd
+</code>
+Then test:
+bash
+<code>
+curl -I https://kcloak.ctapi.in
+</code>
+Expected result:
+<code>
+curl -I [[https://kcloak.ctapi.in/|https://kcloak.ctapi.in]]
+HTTP/1.1 302 Found Date: Thu, 26 Feb 2026 11:22:25 GMT
+Server: Apache
+Location: [[https://kcloak.ctapi.in/admin/|https://kcloak.ctapi.in/admin/]]
+Referrer-Policy: no-referrer
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1;
+mode=block
+</code>
+Check for **Location: https://kcloak.ctapi.in/admin/|https://kcloak.ctapi.in/admin/**
+This is poining to correct directory and not apache direcoty with cgi folder.