Good morning every one.
I want to share with you my problem and I believe that with your help, we can solve it.
Right now I have one server with docker and inside I have my aplication with diferent images (backend, frontend…), I have nginx (to redirect internally the traffic) and I have keycloak (version 23.0.3) all of these items are under one DNS with other nginx.
I have one external cluster with my keycloak database.
Right now, I need to add other identical server to my instalation and I need to share all things of keycloak between both servers, to avoid errors with the keys, tokens, authentications…
I need to create a cluster using the database because by security reasons both servers are separated in differents networks, so I cannot use TCP cluster.
I made some tests, with files, without files, I tried everything before come here but…right now I cannot proceed with this configuration but I know that it´s possible…
Could someone help me about this?
Thanks in advance. Best regards.
is there a chance for rearchitecting? @hgm91hgm
The problem:
solution 1- Sticky session (but if node fails, the user has to reauthenticate)
solution 2- External infinispan ( Configuring distributed caches - Keycloak )
1 Like
Good morning,
Thanks for your time, finally I can connect both server opening the 7800 ports to enable the option 3.
I tried to configure but always both servers start as a master.
Could you help me to configure my keycloak docker-compose?
Note: I need to mantain also the internal access to keycloay using http://keycloak:8080 in each server.
docker-compose:
keycloak:
image: Quay
container_name: keycloak
environment:
KC_HOSTNAME_STRICT: “false”
KC_HOSTNAME_STRICT_HTTPS: “false”
KC_HOSTNAME_STRICT_BACKCHANNEL: “false”
KC_HOSTNAME_PATH: “/oidc-authentication”
KC_HTTP_RELATIVE_PATH: “/oidc-authentication”
KC_TRANSACTION_XA_ENABLED: “false”
KC_HTTP_ENABLED: “true”
PROXY_ADDRESS_FORWARDING: “true”
KC_PROXY: edge
LOGGING_LEVEL: DEBUG
restart: always
command: “–spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true start”
networks:
- donorportal-network
env_file:
- Docker.env
Thanks in advance for your help.
@hgm91hgm
ok apparently you don’t want to use external infinispan. try this docker-compose:
version: "3.9"
services:
keycloak:
image: quay.io/keycloak/keycloak:23.0.3
container_name: keycloak
environment:
# Hostname settings
KC_HOSTNAME_STRICT: "false"
KC_HOSTNAME_STRICT_HTTPS: "false"
KC_HOSTNAME_STRICT_BACKCHANNEL: "false"
KC_HOSTNAME_PATH: "/oidc-authentication"
KC_HTTP_RELATIVE_PATH: "/oidc-authentication"
# HTTP/Proxy
KC_HTTP_ENABLED: "true"
PROXY_ADDRESS_FORWARDING: "true"
KC_PROXY: edge
# Clustering
KC_CACHE_STACK: "tcp"
# Provide the IPs or DNS of both nodes here
JGROUPS_DISCOVERY_PROTOCOL: "TCP_PING"
JGROUPS_DISCOVERY_PROPERTIES: "initial_hosts=keycloak1:7800,keycloak2:7800;port_range=2"
# Transaction settings
KC_TRANSACTION_XA_ENABLED: "false"
# Logging
LOGGING_LEVEL: DEBUG
command: >
start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
networks:
- donorportal-network
ports:
- "8080:8080" # internal HTTP access
- "7800:7800" # clustering TCP port
- "7600:7600" # optional JGroups/replication UDP fallback
restart: always
networks:
donorportal-network:
driver: bridge
1 Like
