Skip to content

Keycloak Docker Compose Configuration: Technical Overview

This document outlines the configuration of the Keycloak service within the docker-compose.yml file, focusing on Keycloak-specific settings and their implications.

version: "3.3" 
services: 
  keycloak: 
    container_name: keycloak 
    image: dockerregistry.quintessence.de/keycloak/keycloak-qc:10.79-QC-44958-SNAPSHOT 
    command: [ 'start', '--log=console', "--log=file",'--log-file-format="%d{yyyy-MM-dd HH:mm:ss} %-5p [%c] (%t) %s%e%n"'] 
    volumes: 
      - ./logs:/opt/keycloak/data/log 
      - ./themes:/opt/keycloak/themes 
    environment: 
      KC_HOSTNAME_URL: https://domain.quintessence.de 
      KC_HOSTNAME_ADMIN_URL: https://domain.quintessence.de 
      KEYCLOAK_ADMIN: admin 
      KEYCLOAK_ADMIN_PASSWORD: securepassword 
      KC_DB: oracle 
      KC_DB_URL: jdbc:oracle:thin:@**********:1521:ORA12DB   
      KC_DB_PASSWORD: securepassword 
      KC_DB_USERNAME: keycloak 
      KC_DB_DRIVER: oracle.jdbc.OracleDriver 
      KC_HOSTNAME_STRICT_HTTPS: "false" 
      KC_HOSTNAME_STRICT: "false" 
      KC_HTTP_ENABLED: "true" 
      KC_PROXY_HEADERS: xforwarded  
      PROXY_ADDRESS_FORWARDING: 'true'   
    ports: 
      - "8280:8080"
Configuration Breakdown

  • version: "3.3": Specifies the Docker Compose file format version.
  • services: keycloak: Defines a service named keycloak, encompassing all configurations for the Keycloak container.
  • container_name: keycloak: Assigns the static name keycloak to the running container for easy identification and management.
  • image: dockerregistry.quintessence.de/keycloak/keycloak-qc:10.79-QC-44958-SNAPSHOT: Uses a specific custom Keycloak Docker image from a QC registry. This image includes the Oracle JDBC driver and any other pre-configured settings.
  • command: [ 'start', ... ]: Overrides the default container entrypoint, instructing Keycloak to start and configuring logging to both console and a file with a specified format for detailed output.
  • volumes: Establishes persistent storage and configuration access:
    • ./logs:/opt/keycloak/data/log: Mounts the host's ./logs directory to the container's Keycloak log directory, making logs easily accessible on the host.
    • ./themes:/opt/keycloak/themes: Mounts the host's ./themes directory to the container's Keycloak themes directory, allowing for external theme management.
  • environment:: Configures Keycloak via environment variables:
    • KC_HOSTNAME_URL: https://domain-name.quintessence.de: Sets the public hostname URL for Keycloak, used in generated links and redirects.
    • KC_HOSTNAME_ADMIN_URL: https://domain-name.quintessence.de: Sets the public URL for the Keycloak administration console.
    • KEYCLOAK_ADMIN: admin & KEYCLOAK_ADMIN_PASSWORD: securepassword: Defines the initial administrative credentials for Keycloak. 🚨 Note: Use secrets management for production environments.
    • KC_DB: oracle: Specifies that Keycloak should use an Oracle database.
    • KC_DB_URL: jdbc:oracle:thin:@****:1521:ORA12DB: Provides the JDBC connection string for the Oracle database. ********** should be replaced with the actual Oracle host.
    • KC_DB_PASSWORD: securepassword & KC_DB_USERNAME: keycloak: Credentials for the Keycloak database user. 🚨 Note: Use secrets management for production environments.
    • KC_DB_DRIVER: oracle.jdbc.OracleDriver: Specifies the Java class name for the Oracle JDBC driver.
    • KC_HOSTNAME_STRICT_HTTPS: "false" & KC_HOSTNAME_STRICT: "false": Disables strict hostname and HTTPS validation. Often used when Keycloak is behind a reverse proxy that handles SSL termination. Consider carefully for production if not behind a secure proxy.
    • KC_HTTP_ENABLED: "true": Enables the HTTP listener for Keycloak, typically required when a reverse proxy forwards HTTP requests to Keycloak.
    • KC_PROXY_HEADERS: xforwarded: Configures Keycloak to trust standard X-Forwarded-* headers (e.g., X-Forwarded-For, X-Forwarded-Proto) from a proxy, crucial for correct URL generation and IP logging.
    • PROXY_ADDRESS_FORWARDING: 'true': An older or complementary setting to KC_PROXY_HEADERS that also enables proxy address forwarding.
  • ports: Maps network ports:
    • "8280:8080": Exposes container port 8080 (where Keycloak listens) to port 8280 on the host machine.

Changelog

Date Author Message
2026-02-25 aresnikowa Merge remote-tracking branch 'origin/master'