Reverse Proxy in front of Keycloak and Archive - dcm4che/dcm4chee-arc-light GitHub Wiki

Overview

Distributed environments frequently require the use of a reverse proxy.

Configure Nginx passthrough reverse proxy for HTTPs, DICOM and HL7 connections

According Nginx Admin Guide, Configuring Reverse Proxy add a top‑level stream {} block in the Nginx configuration file /etc/nginx/nginx.conf, with a server {} configuration block for each TCP connection which shall be forwarded to Keycloak, the Archive or the OAuth2 Proxy, including the listen directive to define the port on the Proxy Node, and the proxy_pass directive to define host and port of the proxied service. E.g.:

# Archive DICOM
stream {
  listen     11112;
  proxy_pass arc-node:11112
}

# Archive DICOM-TLS
stream {
  listen     2762;
  proxy_pass arc-node:2762
}

# Archive HL7
stream {
  listen     2575;
  proxy_pass arc-node:2575
}

# Archive HL7-TLS
stream {
  listen     12575;
  proxy_pass arc-node:12575
}

# Archive UI HTTPs
stream {
  listen     9443;
  proxy_pass arc-node:8443
}

# Archive Wildfly Adminstration Console HTTPs
stream {
  listen     9993;
  proxy_pass arc-node:9993
}

# Keycloak HTTPs
stream {
  listen     9843;
  proxy_pass arc-node:8843
}

# OAuth2 Proxy HTTPs
stream {
  listen     9643;
  proxy_pass arc-node:8643
}

Adjust Keycloak server configuration

Specify proxy mode as passthrough by commandline option --proxy or environment variable KC_PROXY.

Adjust configured frontend endpoint by commandline options --hostname and --hostname-port or environment variables KC_HOSTNAME and KC_HOSTNAME_PORT to the hostname of the proxy and the port on the proxy configured to forward requests to Keycloak.

Adjust Valid Redirect URIs and Web Origins of configured Keycloak OIDC clients

Add/Change Valid Redirect URI and Web Origins of configured Keycloak OIDC client dcm4chee-arc-ui for the Archive UI reflecting the hostname of the proxy and the port on the proxy configured to forward requests to the Archive HTTPs port. Or adjust the environment variables ARCHIVE_HOST and ARCHIVE_HTTPS_PORT accordingly before the first start of the keycloak container.

Add/Change Valid Redirect URI and Web Origins of configured Keycloak OIDC client wildfly-console for the Archive Wildfly Adminstration Console reflecting the hostname of the proxy and the port on the proxy configured to forward requests to the Archive Wildfly Management HTTPs port. Or adjust the environment variables ARCHIVE_HOST and ARCHIVE_MANAGEMENT_HTTPS_PORT accordingly before the first start of the keycloak container.

Add/Change Valid Redirect URI of configured Keycloak OIDC client kibana for Kibana reflecting the hostname of the proxy and the port on the proxy configured to forward requests to the OAuth2 Proxy in front of Kibana. Or adjust the environment variables KIBANA_REDIRECT_URL accordingly before the first start of the keycloak container.

Configure Keycloak Frontend URL for accessing Keycloak by the Archive UI from Web Browsers

Configure the Keycloak Frontend URL reflecting the hostname of the proxy and the port on the proxy configured to forward requests to Keycloak by environment variable UI_AUTH_SERVER_URL of the archive container.

Adjust configured OAuth Redirect URL of the OAuth2 Proxy

Adjust configured OAuth Redirect URL (option redirect-url or environment variable OAUTH2_PROXY_REDIRECT_URL) of the OAuth2 Proxy reflecting the hostname of the proxy and the port on the proxy configured to forward requests to OAuth2 Proxy.

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️