wiki

User Tools

Site Tools

Trace:
iam_production_deployment_guide

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
iam_production_deployment_guide [2026/02/26 10:11] – [9. Automated PostgreSQL Backup] pradnyaiam_production_deployment_guide [2026/02/26 12:47] (current) – [cPanel's userdata include] pradnya
Line 331: Line 331:
 </code> </code>
  
-===== Proxy through NGINX =====+===== Proxy through NGINX - Droplet FIX =====
  
-To resolve on browser error "We are sorry... HTTPS required"+To resolve on browser error "We are sorry… HTTPS required"
  
 **Step 1: Install Nginx on Alma Linux** **Step 1: Install Nginx on Alma Linux**
Line 339: Line 339:
 bash bash
  
-<code>''dnf install -y nginx +<code> 
-systemctl enable --now nginx''+dnf install -y nginx 
 +systemctl enable --now nginx
  
 </code> </code>
 +
 **Step 2: Generate a self-signed certificate** **Step 2: Generate a self-signed certificate**
  
 bash bash
  
-<code>''mkdir -p /etc/nginx/ssl+<code> 
 +mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
   -keyout /etc/nginx/ssl/keycloak.key \   -keyout /etc/nginx/ssl/keycloak.key \
   -out /etc/nginx/ssl/keycloak.crt \   -out /etc/nginx/ssl/keycloak.crt \
-  -subj "/CN=64.227.190.56"''+  -subj "/CN=64.227.190.56"
  
 </code> </code>
 +
 **Step 3: Create Nginx config for Keycloak** **Step 3: Create Nginx config for Keycloak**
  
 bash bash
  
-<code>''nano /etc/nginx/conf.d/keycloak.conf''+<code> 
 +nano /etc/nginx/conf.d/keycloak.conf
  
 </code> </code>
 +
 +<code>
 +server {
 +  listen 443 ssl;
 +  server_name 64.227.190.56;
 +
 +  ssl_certificate     /etc/nginx/ssl/keycloak.crt;
 +  ssl_certificate_key /etc/nginx/ssl/keycloak.key;
 +
 +  # Security headers
 +  add_header Strict-Transport-Security "max-age=31536000" always;
 +  add_header X-Frame-Options SAMEORIGIN;
 +  add_header X-Content-Type-Options nosniff;
 +
 +  location / {
 +      proxy_pass http://localhost:8080;
 +      proxy_set_header Host $host;
 +      proxy_set_header X-Real-IP $remote_addr;
 +      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +      proxy_set_header X-Forwarded-Proto $scheme;
 +      proxy_buffer_size 128k;
 +      proxy_buffers 4 256k;
 +      proxy_busy_buffers_size 256k;
 +  }
 +}
 +
 +server {
 +  listen 80;
 +  server_name 64.227.190.56;
 +  return 301 https://$host$request_uri;
 +}
 +
 +</code>
 +
 +Modified docker-compose.yml as follows
 +
 +<code>
 +keycloak:
 +image: quay.io/keycloak/keycloak:26.1.0
 +container_name: keycloak_app
 +command: start
 +ports:
 +  - "8080:8080"
 +environment:
 +  KC_DB: postgres
 +  KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
 +  KC_DB_USERNAME: keycloak_user
 +  KC_DB_PASSWORD:
 +  KC_BOOTSTRAP_ADMIN_USERNAME: admin
 +  KC_BOOTSTRAP_ADMIN_PASSWORD:
 +  KC_HTTP_ENABLED: "true"
 +  KC_HTTP_PORT: "8080"
 +  KC_PROXY_HEADERS: xforwarded
 +  KC_HOSTNAME: "https://64.227.190.56"
 +  KC_HOSTNAME_STRICT: "false"
 +
 +</code>
 +
 +Start NginX
 +
 +<code>
 +systemctl restart nginx
 +
 +</code>
 +
 +Check/Configure Firewall rules for URL as follows
 +
 +**Configure Inbound Rules**
 +
 +Add these inbound rules:
 +
 +^Type^Protocol^Port^Sources|
 +|HTTP|TCP|80|All IPv4, All IPv6|
 +|HTTPS|TCP|443|All IPv4, All IPv6|
 +|SSH|TCP|22| \\ All IPv4, All IPv6|
 +
 +Allow Nginx to connect to local ports
 +<code>
 +
 + setsebool -P httpd_can_network_connect 1
 +
 +#or
 +
 +setenforce 1
 +
 +</code>
 +
 +Stop docker and NginX and start again.
 +
 +===== cPanel's userdata include =====
 +
 +**Step 1: Create the userdata directories**
 +
 +bash
 +
 +<code>
 +mkdir -p /etc/apache2/conf.d/userdata/std/2_4/ctapi/kcloak.ctapi.in/
 +mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/ctapi/kcloak.ctapi.in/
 +
 +</code>
 +
 +**Step 2: Create HTTP proxy config**
 +
 +bash
 +
 +<code>
 +nano /etc/apache2/conf.d/userdata/std/2_4/ctapi/kcloak.ctapi.in/proxy.conf
 +
 +</code>
 +
 +Add:
 +
 +<code>
 +RewriteEngine On RewriteRule ^(.*)$ https://kcloak.ctapi.in$1 [R=301,L]<code>
 +
 +**Step 3: Create HTTPS proxy config**
 +
 +bash
 +
 +<code>nano /etc/apache2/conf.d/userdata/ssl/2_4/ctapi/kcloak.ctapi.in/proxy.conf
 +
 +</code>
 +
 +Add:
 +
 +<code>
 +ProxyPreserveHost On\
 +ProxyPass / http://127.0.0.1:8080/\
 +ProxyPassReverse / http://127.0.0.1:8080/\
 +RequestHeader set X-Forwarded-Proto "https"\
 +RequestHeader set X-Forwarded-Port "443"
 +
 +</code>
 +
 +**Step 4: Rebuild Apache config and restart**
 +
 +bash
 +
 +<code>
 +/scripts/rebuildhttpdconf
 +httpd -t
 +systemctl restart httpd
 +
 +</code>
 +
 +Then test:
 +
 +bash
 +
 +<code>
 +curl -I https://kcloak.ctapi.in
 +
 +</code>
 +
 +Expected result:
 +
 +<code>
 +curl -I [[https://kcloak.ctapi.in/|https://kcloak.ctapi.in]]
 +
 +HTTP/1.1 302 Found Date: Thu, 26 Feb 2026 11:22:25 GMT
 +
 +Server: Apache
 +
 +Location: [[https://kcloak.ctapi.in/admin/|https://kcloak.ctapi.in/admin/]]
 +
 +Referrer-Policy: no-referrer
 +
 +Strict-Transport-Security: max-age=31536000; includeSubDomains
 +
 +X-Content-Type-Options: nosniff
 +
 +X-XSS-Protection: 1;
 +
 +mode=block
 +
 +</code>
 +
 +Check for **Location: https://kcloak.ctapi.in/admin/|https://kcloak.ctapi.in/admin/**
 +
 +This is poining to correct directory and not apache direcoty with cgi folder.
  
  
iam_production_deployment_guide.1772100691.txt.gz · Last modified: by pradnya