Run Keycloak on Amazon Linux 2 without Docker
Introduction
I have summarized the fastest procedure for myself to tell customers "Keycloak is such a UI". If only you need to touch it, docker to your local machine
# docker run jboss/keycloak
This should be the fastest.
According to Keycloak documentation Server Installation and Configuration Guide https://keycloak-documentation.openstandia.jp/master/ja_JP/server_installation/index.html
The system requirements are as follows
- Java-enabled operating system
- Java 8 JDK
- Zip or gzip, and tar
- RAM 512M or more
- Disk space of 1G or more
So, I will build it with EC2 free frame t2.micro.
setup
Proceed almost by default and allow ssh and https for inbound security groups. After entering the server with ssh, execute the command as root below.
# amazon-linux-extras install -y java-openjdk11 nginx1
Once java and nginx are installed, install keycloak DL.
# cd /usr/local/src/
# wget https://github.com/keycloak/keycloak/releases/download/12.0.1/keycloak-12.0.1.tar.gz
# tar zxf keycloak-12.0.1.tar.gz
# mv keycloak-12.0.1 /opt/keycloak
Creating a root user
# cd /opt/keycloak/
# ./bin/add-user-keycloak.sh -r master -u user1 -p password1
Added 'user1' to '/opt/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user
Change standalone settings (otherwise you'll be addicted to nginx integration)
# cp ./standalone/configuration/standalone.xml ./standalone/configuration/standalone.xml.org
# vi ./standalone/configuration/standalone.xml
# diff ./standalone/configuration/standalone.xml.org ./standalone/configuration/standalone.xml
483c483
< <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
---
> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
Start keycloak
# ./bin/standalone.sh -b=0.0.0.0 &
nginx settings
# cp -p nginx.conf nginx.conf.org
# vi nginx.conf
# diff nginx.conf.org nginx.conf
58,67c58,67
< # server {
< # listen 443 ssl http2;
< # listen [::]:443 ssl http2;
< # server_name _;
< # root /usr/share/nginx/html;
< #
< # ssl_certificate "/etc/pki/nginx/server.crt";
< # ssl_certificate_key "/etc/pki/nginx/private/server.key";
< # ssl_session_cache shared:SSL:1m;
< # ssl_session_timeout 10m;
---
> server {
> listen 443 ssl http2;
> listen [::]:443 ssl http2;
> server_name _;
> root /usr/share/nginx/html;
>
> ssl_certificate "/etc/nginx/crt.pem";
> ssl_certificate_key "/etc/nginx/key.pem";
> ssl_session_cache shared:SSL:1m;
> ssl_session_timeout 10m;
69,81c69,92
< # ssl_prefer_server_ciphers on;
< #
< # # Load configuration files for the default server block.
< # include /etc/nginx/default.d/*.conf;
< #
< # error_page 404 /404.html;
< # location = /40x.html {
< # }
< #
< # error_page 500 502 503 504 /50x.html;
< # location = /50x.html {
< # }
< # }
---
> ssl_prefer_server_ciphers on;
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
>
> # Load configuration files for the default server block.
> include /etc/nginx/default.d/*.conf;
>
> error_page 404 /404.html;
> location = /40x.html {
> }
>
> error_page 500 502 503 504 /50x.html;
> location = /50x.html {
> }
>
> location / {
> proxy_pass http://127.0.0.1:8080;
> }
> }
# vi /etc/nginx/crt.pem
# vi /etc/nginx/key.pem
- Requires proxy_set_header related.
- Crt.pem and key.pem are prepared by each person. I used letsencrypt, so I used it.
Start nginx
# systemctl start nginx
the end.
You should be able to open it by accessing the domain with this.
After transitioning to the Administration Console, log in as the created root user
- If it is not https, you will be sad because you will be told "We are sorry ... HTTPS required".
- If the proxy_set_header relationship is not set correctly, the link will be 127.0.0.1 and you will not be able to connect and you will feel empty.
I was able to log in, so it was a success.
The rest will be learned from now on. that's all~
Recommended Posts