Keycloak

Форк
0
/
configuration-production.adoc 
67 строк · 4.9 Кб
1
<#import "/templates/guide.adoc" as tmpl>
2
<#import "/templates/kc.adoc" as kc>
3
<#import "/templates/links.adoc" as links>
4

5
<@tmpl.guide
6
title="Configuring {project_name} for production"
7
summary="Learn how to make {project_name} ready for production."
8
includedOptions="">
9

10
A {project_name} production environment provides secure authentication and authorization for deployments that range from on-premise deployments that support a few thousand users to deployments that serve millions of users.
11

12
This {section} describes the general areas of configuration required for a production ready {project_name} environment. This information focuses on the general concepts instead of the actual implementation, which depends on your environment. The key aspects covered in this {section} apply to all environments, whether it is containerized, on-premise, GitOps, or Ansible.
13

14
== TLS for secure communication
15
{project_name} continually exchanges sensitive data, which means that all communication to and from {project_name} requires a secure communication channel. To prevent several attack vectors, you enable HTTP over TLS, or HTTPS, for that channel.
16

17
To configure secure communication channels for {project_name}, see <@links.server id="enabletls"/> and <@links.server id="outgoinghttp"/>.
18

19
To secure the cache communication for {project_name}, see <@links.server id="caching"/>.
20

21
== The hostname for {project_name}
22
In a production environment, {project_name} instances usually run in a private network, but {project_name} needs to expose certain public facing endpoints to communicate with the applications to be secured.
23

24
For details on the endpoint categories and instructions on how to configure the public hostname for them, see <@links.server id="hostname"/>.
25

26
== Reverse proxy in a distributed environment
27
Apart from <@links.server id="hostname"/>, production environments usually include a reverse proxy / load balancer component. It separates and unifies access to the network used by your company or organization. For a {project_name} production environment, this component is recommended.
28

29
For details on configuring proxy communication modes in {project_name}, see <@links.server id="reverseproxy"/>. That {section} also recommends which paths should be hidden from public access and which paths should be exposed so that {project_name} can secure your applications.
30

31
== Limit the number of queued requests
32

33
A production environment should protect itself from an overload situation, so that it responds to as many valid requests as possible, and to continue regular operations once the situation returns to normal again.
34
One way of doing this is rejecting additional requests once a certain threshold is reached.
35

36
Load shedding should be implemented on all levels, including the load balancers in your environment.
37
In addition to that, there is a feature in Keycloak to limit the number of requests that can't be processed right away and need to be queued.
38
By default, there is no limit set.
39
Set the option `http-max-queued-requests` to limit the number of queued requests to a given threshold matching your environment.
40
Any request that exceeds this limit would return with an immediate `503 Server not Available` response.
41

42
== Production grade database
43
The database used by {project_name} is crucial for the overall performance, availability, reliability and integrity of {project_name}. For details on how to configure a supported database, see <@links.server id="db"/>.
44

45
== Support for {project_name} in a cluster
46
To ensure that users can continue to log in when a {project_name} instance goes down, a typical production environment contains two or more {project_name} instances.
47

48
{project_name} runs on top of JGroups and Infinispan, which provide a reliable, high-availability stack for a clustered scenario. When deployed to a cluster, the embedded Infinispan server communication should be secured. You secure this communication either by enabling authentication and encryption or by isolating the network used for cluster communication.
49

50
To find out more about using multiple nodes, the different caches and an appropriate stack for your environment, see <@links.server id="caching"/>.
51

52
== Configure {project_name} Server with IPv4 or IPv6
53
The system properties `java.net.preferIPv4Stack` and `java.net.preferIPv6Addresses` are used to configure the JVM for use with IPv4 or IPv6 addresses.
54

55
By default, {project_name} is accessible via IPv4 and IPv6 addresses at the same time.
56
In order to run only with IPv4 addresses, you need to specify the property `java.net.preferIPv4Stack=true`.
57
The latter ensures that any hostname to IP address conversions always return IPv4 address variants.
58

59
These system properties are conveniently set by the `JAVA_OPTS_APPEND` environment variable.
60
For example, to change the IP stack preference to IPv4, set an environment variable as follows:
61

62
[source, bash]
63
----
64
export JAVA_OPTS_APPEND="-Djava.net.preferIPv4Stack=true"
65
----
66

67
</@tmpl.guide>

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.