wiki

User Tools

Site Tools

Trace:
iam_production_deployment_guide

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
iam_production_deployment_guide [2026/02/26 10:12] – [Proxy through NGINX] pradnyaiam_production_deployment_guide [2026/02/26 12:47] (current) – [cPanel's userdata include] pradnya
Line 331: Line 331:
 </code> </code>
  
-===== Proxy through NGINX =====+===== Proxy through NGINX - Droplet FIX =====
  
 To resolve on browser error "We are sorry… HTTPS required" To resolve on browser error "We are sorry… HTTPS required"
Line 368: Line 368:
  
 <code> <code>
- +server { 
-server {\\ +  listen 443 ssl;
-  listen 443 ssl;\\+
   server_name 64.227.190.56;   server_name 64.227.190.56;
  
-  ssl_certificate     /etc/nginx/ssl/keycloak.crt;\\+  ssl_certificate     /etc/nginx/ssl/keycloak.crt;
   ssl_certificate_key /etc/nginx/ssl/keycloak.key;   ssl_certificate_key /etc/nginx/ssl/keycloak.key;
  
-  # Security headers\\ +  # Security headers 
-  add_header Strict-Transport-Security "max-age=31536000" always;\\ +  add_header Strict-Transport-Security "max-age=31536000" always; 
-  add_header X-Frame-Options SAMEORIGIN;\\+  add_header X-Frame-Options SAMEORIGIN;
   add_header X-Content-Type-Options nosniff;   add_header X-Content-Type-Options nosniff;
  
-  location / {\\ +  location / { 
-      proxy_pass http://localhost:8080;\\ +      proxy_pass http://localhost:8080; 
-      proxy_set_header Host $host;\\ +      proxy_set_header Host $host; 
-      proxy_set_header X-Real-IP $remote_addr;\\ +      proxy_set_header X-Real-IP $remote_addr; 
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\\ +      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
-      proxy_set_header X-Forwarded-Proto $scheme;\\ +      proxy_set_header X-Forwarded-Proto $scheme; 
-      proxy_buffer_size 128k;\\ +      proxy_buffer_size 128k; 
-      proxy_buffers 4 256k;\\ +      proxy_buffers 4 256k; 
-      proxy_busy_buffers_size 256k;\\ +      proxy_busy_buffers_size 256k; 
-  }\\+  }
 } }
  
-server {\\ +server { 
-  listen 80;\\ +  listen 80; 
-  server_name 64.227.190.56;\\ +  server_name 64.227.190.56; 
-  return 301 https://$host$request_uri;\\+  return 301 https://$host$request_uri;
 } }
  
 +</code>
 +
 +Modified docker-compose.yml as follows
 +
 +<code>
 +keycloak:
 +image: quay.io/keycloak/keycloak:26.1.0
 +container_name: keycloak_app
 +command: start
 +ports:
 +  - "8080:8080"
 +environment:
 +  KC_DB: postgres
 +  KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
 +  KC_DB_USERNAME: keycloak_user
 +  KC_DB_PASSWORD:
 +  KC_BOOTSTRAP_ADMIN_USERNAME: admin
 +  KC_BOOTSTRAP_ADMIN_PASSWORD:
 +  KC_HTTP_ENABLED: "true"
 +  KC_HTTP_PORT: "8080"
 +  KC_PROXY_HEADERS: xforwarded
 +  KC_HOSTNAME: "https://64.227.190.56"
 +  KC_HOSTNAME_STRICT: "false"
  
 </code> </code>
 +
 +Start NginX
 +
 +<code>
 +systemctl restart nginx
 +
 +</code>
 +
 +Check/Configure Firewall rules for URL as follows
 +
 +**Configure Inbound Rules**
 +
 +Add these inbound rules:
 +
 +^Type^Protocol^Port^Sources|
 +|HTTP|TCP|80|All IPv4, All IPv6|
 +|HTTPS|TCP|443|All IPv4, All IPv6|
 +|SSH|TCP|22| \\ All IPv4, All IPv6|
 +
 +Allow Nginx to connect to local ports
 +<code>
 +
 + setsebool -P httpd_can_network_connect 1
 +
 +#or
 +
 +setenforce 1
 +
 +</code>
 +
 +Stop docker and NginX and start again.
 +
 +===== cPanel's userdata include =====
 +
 +**Step 1: Create the userdata directories**
 +
 +bash
 +
 +<code>
 +mkdir -p /etc/apache2/conf.d/userdata/std/2_4/ctapi/kcloak.ctapi.in/
 +mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/ctapi/kcloak.ctapi.in/
 +
 +</code>
 +
 +**Step 2: Create HTTP proxy config**
 +
 +bash
 +
 +<code>
 +nano /etc/apache2/conf.d/userdata/std/2_4/ctapi/kcloak.ctapi.in/proxy.conf
 +
 +</code>
 +
 +Add:
 +
 +<code>
 +RewriteEngine On RewriteRule ^(.*)$ https://kcloak.ctapi.in$1 [R=301,L]<code>
 +
 +**Step 3: Create HTTPS proxy config**
 +
 +bash
 +
 +<code>nano /etc/apache2/conf.d/userdata/ssl/2_4/ctapi/kcloak.ctapi.in/proxy.conf
 +
 +</code>
 +
 +Add:
 +
 +<code>
 +ProxyPreserveHost On\
 +ProxyPass / http://127.0.0.1:8080/\
 +ProxyPassReverse / http://127.0.0.1:8080/\
 +RequestHeader set X-Forwarded-Proto "https"\
 +RequestHeader set X-Forwarded-Port "443"
 +
 +</code>
 +
 +**Step 4: Rebuild Apache config and restart**
 +
 +bash
 +
 +<code>
 +/scripts/rebuildhttpdconf
 +httpd -t
 +systemctl restart httpd
 +
 +</code>
 +
 +Then test:
 +
 +bash
 +
 +<code>
 +curl -I https://kcloak.ctapi.in
 +
 +</code>
 +
 +Expected result:
 +
 +<code>
 +curl -I [[https://kcloak.ctapi.in/|https://kcloak.ctapi.in]]
 +
 +HTTP/1.1 302 Found Date: Thu, 26 Feb 2026 11:22:25 GMT
 +
 +Server: Apache
 +
 +Location: [[https://kcloak.ctapi.in/admin/|https://kcloak.ctapi.in/admin/]]
 +
 +Referrer-Policy: no-referrer
 +
 +Strict-Transport-Security: max-age=31536000; includeSubDomains
 +
 +X-Content-Type-Options: nosniff
 +
 +X-XSS-Protection: 1;
 +
 +mode=block
 +
 +</code>
 +
 +Check for **Location: https://kcloak.ctapi.in/admin/|https://kcloak.ctapi.in/admin/**
 +
 +This is poining to correct directory and not apache direcoty with cgi folder.
  
  
iam_production_deployment_guide.1772100757.txt.gz · Last modified: by pradnya