AndyMunro
Stian Thorgersen
parent
45c0baf843
commit
7b1180856b
1 changed files with 17 additions and 17 deletions
|
|
@ -7,33 +7,33 @@ title="Configuring Keycloak for production"
|
|||
summary="Learn how to make Keycloak ready for production."
|
||||
includedOptions="">
|
||||
|
||||
Keycloak is used in various production environments, from on-premise deployments spanning only a few thousand users to deployments serving millions of users with secure authentication and authorization.
|
||||
A Keycloak production environment provides secure authentication and authorization for deployments that range from on-premise deployments that support a few thousand users to deployments that serve millions of users.
|
||||
|
||||
This guide walks you through the general aspects of setting up a production ready Keycloak environment. It focusses on the main concepts and aspects instead of the actual implementation, which depends on your actual environment, be it containerized, on-premise, GitOps or Ansible. The key aspects covered in this guide apply to all of these environments.
|
||||
This guide describes the general areas of configuration required for a production ready Keycloak environment. This information focuses on the general concepts instead of the actual implementation, which depends on your environment. The key aspects covered in this guide apply to all environments, whether it is containerized, on-premise, GitOps, or Ansible.
|
||||
|
||||
== Enabling TLS
|
||||
Keycloak exchanges sensitive data all the time, so all communication from and to Keycloak needs to be done through a secure communication channel. For that, you must enable HTTP over TLS, or HTTPS, to prevent several attack vectors.
|
||||
== TLS for secure communication
|
||||
Keycloak continually exchanges sensitive data, which means that all communication to and from Keycloak requires a secure communication channel. To prevent several attack vectors, you enable HTTP over TLS, or HTTPS, for that channel.
|
||||
|
||||
The <@links.server id="enabletls"/> and <@links.server id="outgoinghttp"/> guides will show you the appropriate configuration to set up secure communication channels for Keycloak.
|
||||
To configure secure communication channels for Keycloak, see the <@links.server id="enabletls"/> and <@links.server id="outgoinghttp"/> guides.
|
||||
|
||||
== Setting the hostname for Keycloak
|
||||
Keycloak instances in production usually run in a private network, but Keycloak needs to expose different public facing endpoints to communicate with applications that will be secured.
|
||||
== The hostname for Keycloak
|
||||
In a production environment, Keycloak instances usually run in a private network, but Keycloak needs to expose certain public facing endpoints to communicate with the applications to be secured.
|
||||
|
||||
Learn in the <@links.server id="hostname"/> guide what the different endpoint categories are and how to configure the public hostname for them, depending on your specific environment.
|
||||
For details on the endpoint categories and instructions on how to configure the public hostname for them, see the <@links.server id="hostname"/> guide.
|
||||
|
||||
== Configure a reverse proxy
|
||||
Apart from <<Setting the hostname for Keycloak>>, production environments usually use a reverse proxy / load balancer component to separate and unify access to the companies network. Using such a component is recommended for Keycloak production deployments.
|
||||
== Reverse proxy in a distributed environment
|
||||
Apart from <<Setting the hostname for Keycloak>>, production environments usually include a reverse proxy / load balancer component. It separates and unifies access to the network used by your company or organization. For a Keycloak production environment, this component is recommended.
|
||||
|
||||
In the <@links.server id="reverseproxy"/> guide you can find the available proxy communication modes in Keycloak and how to configure them. There's also a recommendation which paths should not be exposed to the public at all, and which paths need to be exposed for Keycloak to be able to secure your applications.
|
||||
For details on configuring proxy communication modes in Keycloak, see the <@links.server id="reverseproxy"/> guide. That guide also recommends which paths should be hidden from public access and which paths should be exposed so that Keycloak can secure your applications.
|
||||
|
||||
== Configure a production grade database
|
||||
The database used by Keycloak is crucial for the overall performance, availability, reliability and integrity of Keycloak. In the <@links.server id="db"/> guide you can find the supported database vendors and how to configure Keycloak to use them.
|
||||
== Production grade database
|
||||
The database used by Keycloak is crucial for the overall performance, availability, reliability and integrity of Keycloak. For details on how to configure a supported database, see the <@links.server id="db"/> guide.
|
||||
|
||||
== Run Keycloak in a cluster
|
||||
You'd not want every login to fail when your Keycloak instance goes down, so typical production deployments consist of two or more Keycloak instances.
|
||||
== Support for Keycloak in a cluster
|
||||
To ensure that users can continue to log in when a Keycloak instance goes down, a typical production environment contains two or more Keycloak instances.
|
||||
|
||||
Keycloak uses JGroups and Infinispan under the covers to provide a reliable, HA-ready stack to run in a clustered scenario. When deployed to a cluster the embedded Infinispan server communication should be secured. Either by enabling authentication and encryption, or through isolating the network used for cluster communication.
|
||||
Keycloak runs on top of JGroups and Infinispan, which provide a reliable, high-availability stack for a clustered scenario. When deployed to a cluster, the embedded Infinispan server communication should be secured. You secure this communication either by enabling authentication and encryption or by isolating the network used for cluster communication.
|
||||
|
||||
To find out more about using multiple nodes, the different caches and the right stack for your environment, see the <@links.server id="caching"/> guide.
|
||||
To find out more about using multiple nodes, the different caches and an appropriate stack for your environment, see the <@links.server id="caching"/> guide.
|
||||
|
||||
</@tmpl.guide>
|
||||
|
|
|
|||
Loading…
Reference in a new issue