From ca842dc6c939e3744db5607ddaa6438d6278f080 Mon Sep 17 00:00:00 2001 From: Daisie Huang Date: Fri, 11 Oct 2024 13:53:23 -0700 Subject: [PATCH 1/2] attach the proxy-headers value to CANDIG_PRODUCTION_MODE --- lib/keycloak/credential_loader.sh | 2 +- lib/keycloak/docker-compose.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/keycloak/credential_loader.sh b/lib/keycloak/credential_loader.sh index d09f455e5..d4fafce41 100755 --- a/lib/keycloak/credential_loader.sh +++ b/lib/keycloak/credential_loader.sh @@ -4,7 +4,7 @@ export KEYCLOAK_ADMIN_PASSWORD=$(< /run/secrets/keycloak-admin-password) if [ "$CANDIG_PRODUCTION_MODE" = 1 ]; then - exec /opt/keycloak/bin/kc.sh start + exec /opt/keycloak/bin/kc.sh --proxy-headers=xforwarded start else exec /opt/keycloak/bin/kc.sh start-dev fi \ No newline at end of file diff --git a/lib/keycloak/docker-compose.yml b/lib/keycloak/docker-compose.yml index dbd424a95..d888e7a4d 100644 --- a/lib/keycloak/docker-compose.yml +++ b/lib/keycloak/docker-compose.yml @@ -18,7 +18,6 @@ services: KC_METRICS_ENABLED: true QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: true KC_HTTP_ENABLED: true - # KC_PROXY_HEADERS: xforwarded # FOR PROD CANDIG_PRODUCTION_MODE: ${CANDIG_PRODUCTION_MODE} secrets: - keycloak-admin-password From b292a0e8660514fd33fb6826aeef07c915b7a748 Mon Sep 17 00:00:00 2001 From: Daisie Huang Date: Fri, 11 Oct 2024 14:26:37 -0700 Subject: [PATCH 2/2] use an env setting --- etc/env/example.env | 4 ++++ lib/keycloak/credential_loader.sh | 6 +++++- lib/keycloak/docker-compose.yml | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/etc/env/example.env b/etc/env/example.env index 317040d9e..d7a258ca8 100644 --- a/etc/env/example.env +++ b/etc/env/example.env @@ -174,6 +174,10 @@ KEYCLOAK_PRIVATE_URL=${KEYCLOAK_PRIVATE_PROTO}://${CANDIG_AUTH_DOMAIN}:${KEYCLOA KEYCLOAK_REALM_URL=${KEYCLOAK_PUBLIC_URL}/auth/realms/${KEYCLOAK_REALM} KEYCLOAK_GENERATE_TEST_USER=1 +# some production instances use a reverse proxy: if needed, set this to "xforwarded" or "forwarded" +# https://www.keycloak.org/server/reverseproxy +KEYCLOAK_PROXY_HEADERS=none + # query service QUERY_VERSION=2.3.0 QUERY_PORT=1236 diff --git a/lib/keycloak/credential_loader.sh b/lib/keycloak/credential_loader.sh index d4fafce41..fbaea70ae 100755 --- a/lib/keycloak/credential_loader.sh +++ b/lib/keycloak/credential_loader.sh @@ -1,10 +1,14 @@ #!/bin/bash +if [ "$KEYCLOAK_PROXY_HEADERS" != "none" ]; then + export cli_settings="--proxy-headers=$KEYCLOAK_PROXY_HEADERS" +fi + # Load credentials from secrets export KEYCLOAK_ADMIN_PASSWORD=$(< /run/secrets/keycloak-admin-password) if [ "$CANDIG_PRODUCTION_MODE" = 1 ]; then - exec /opt/keycloak/bin/kc.sh --proxy-headers=xforwarded start + exec /opt/keycloak/bin/kc.sh start $cli_settings else exec /opt/keycloak/bin/kc.sh start-dev fi \ No newline at end of file diff --git a/lib/keycloak/docker-compose.yml b/lib/keycloak/docker-compose.yml index d888e7a4d..668c2d95a 100644 --- a/lib/keycloak/docker-compose.yml +++ b/lib/keycloak/docker-compose.yml @@ -18,6 +18,7 @@ services: KC_METRICS_ENABLED: true QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: true KC_HTTP_ENABLED: true + KEYCLOAK_PROXY_HEADERS: ${KEYCLOAK_PROXY_HEADERS} CANDIG_PRODUCTION_MODE: ${CANDIG_PRODUCTION_MODE} secrets: - keycloak-admin-password