keycloak我们都以docker为例子,来讲一下https的部署。
- https更安全,加密传输
- kc有些cookies,需要https的支持
nginx部署
upstream keycloak {
server 192.168.*.*:8080;
}
server {
server_name kc.lind.com;
listen 443 ssl;
ssl_certificate /usr/local/nginx/tls.crt;
ssl_certificate_key /usr/local/nginx/tls.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location /{
return 301 https://$server_name/auth;
}
location /auth {
proxy_pass http://keycloak/auth;
proxy_set_header Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme; #决定了keycloak.js文件是走https,这个比较特殊
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
kc的docker部署
PROXY_ADDRESS_FORWARDING它的最终作用:
- 在负责在https请求