Hello,
I am new to advanced keycloak configuration, have been using keycloak WildFly distribution as a single instance for my project without any problem.
For WildFly distribution, there are lots of documents and topics about Keycloak Clusters. However, I couldn’t find much about Quarkus distribution. I need a shared database cluster setup for failover senarios. I use this as cache-ispn.xml(JDBC_PING): Keycloak 17 example using JGroups JDBC_PING discovery protocol for Infinispan · GitHub
I am trying the following setup and couldn’t even achieve reverse proxy settings.
Could you please help on the configuration(or please suggest better way). My approach can be wrong, I am not sure about it.
For now, using Docker and Kubernetes is not an option.
Server 1: kyc.serverdomain
NGINX Loadbalancing (I know round robin is not a good option, just trying to make it work for now)
Note: Connection should be secure to other servers.
Nginx Conf:
server {
listen 80;
listen [::]:80;
server_name kyc.example.com;
return 302 https://$server_name$request_uri;
}
upstream keycloak-cluster {
server kyc1.example.com;
server kyc2.example.com;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name kyc.example.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://keycloak-cluster;
}
ssl_certificate /etc/letsencrypt/live/kyc.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kyc.example.com/privkey.pem;
}
Server 2: kyc1.serverdomain
Keycloak Instance 1
Nginx Conf:
server {
server_name kyc1.example.com;
return 302 https://$server_name$request_uri;
}
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
server_name kyc1.example.com;
ssl_certificate /etc/letsencrypt/live/kyc1.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kyc1.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass https://0.0.0.0:8443/;
proxy_http_version 1.1;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
Keycloak Conf:
db=postgres
db-username=db_user_1
db-password=password
db-url=jdbc:postgresql://postgresql.example.com/keycloak_cluster_db
https-certificate-file=/etc/letsencrypt/live/kyc1.example.com/cert.pem
https-certificate-key-file=/etc/letsencrypt/live/kyc1.example.com/privkey.pem
proxy=edge
hostname=kyc.example.com **# Not sure if hostname is correct, if I change it to kyc1.example.com works well in a single instance**
https-port=8443
hostname-strict-backchannel=true
Server 3: kyc2.serverdomain
Keycloak Instance 2
Configuration is the same except the domain is kyc2.serverdomain
Server 4: PostgreSQL
Shared database for both instances