This guide shows how to install Keycloak behind NGINX with SSL termination using Let’s Encrypt, and an existing MariaDB server. Keycloak will run as a non-system user and be configured for production.
Prerequisites
- An Ubuntu 24.04 server
- A public domain name pointing to your server (e.g.,
keycloak.maksonlee.com) - Existing MariaDB server
- Existing NGINX installation
- Ports 80 and 443 open
- Create Keycloak Database and User in MariaDB
sudo mysql -u root -p
Inside MariaDB shell:
CREATE DATABASE keycloak;
CREATE USER 'keycloak'@'localhost' IDENTIFIED BY 'your_secure_password';
GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';
FLUSH PRIVILEGES;
EXIT;
- Install Java 21
sudo apt update
sudo apt install openjdk-21-jdk -y
java -version
- Download and Install Keycloak
wget https://github.com/keycloak/keycloak/releases/download/26.2.0/keycloak-26.2.0.tar.gz
tar -xvzf keycloak-26.2.0.tar.gz
sudo mv keycloak-26.2.0 /opt/keycloak
sudo useradd -m keycloak
sudo chown -R keycloak:keycloak /opt/keycloak
- Add MariaDB JDBC Driver
sudo wget https://downloads.mariadb.com/Connectors/java/connector-java-3.5.3/mariadb-java-client-3.5.3.jar -O /opt/keycloak/providers/mariadb.jar
sudo chown keycloak:keycloak /opt/keycloak/providers/mariadb.jar
- Configure Keycloak
sudo su - keycloak
Edit /opt/keycloak/conf/keycloak.conf:
db=mariadb
db-username=keycloak
db-password=your_secure_password
db-url=jdbc:mariadb://localhost:3306/keycloak
hostname=keycloak.maksonlee.com
http-enabled=true
http-host=127.0.0.1
proxy-headers=xforwarded
- Build Keycloak
cd /opt/keycloak
bin/kc.sh build
exit
- Add NGINX Config (No SSL Yet)
Before running Certbot, create a simple config:
server {
listen 80;
server_name keycloak.maksonlee.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
}
}
Save as:
/etc/nginx/sites-enabled/keycloak
Then reload NGINX:
sudo nginx -t && sudo systemctl reload nginx
- Get SSL Certificate via Certbot
sudo certbot --nginx -d keycloak.maksonlee.com
Certbot will automatically update the NGINX config with SSL.
- Final NGINX Config (With SSL + Headers)
Verify your final config looks like this:
server {
server_name keycloak.maksonlee.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/keycloak.maksonlee.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/keycloak.maksonlee.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Host $host;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
server {
listen 80;
server_name keycloak.maksonlee.com;
return 301 https://$host$request_uri;
}
- Start Keycloak with Temporary Admin User
sudo su - keycloak
export KC_BOOTSTRAP_ADMIN_USERNAME=admin
export KC_BOOTSTRAP_ADMIN_PASSWORD=admin
export JAVA_OPTS="-Xms128m -Xmx128m"
cd /opt/keycloak
bin/kc.sh start
You can now visit:
https://keycloak.maksonlee.com
Login with the credentials above. You’ll see a warning to create a permanent admin user.
- Run Keycloak as a Systemd Service
Create a unit file:
sudo vi /etc/systemd/system/keycloak.service
Paste the following:
[Unit]
Description=Keycloak Server
After=network.target
[Service]
User=keycloak
Group=keycloak
WorkingDirectory=/opt/keycloak
ExecStart=/opt/keycloak/bin/kc.sh start --http-host=127.0.0.1
Restart=always
Environment=JAVA_OPTS=-Xms128m -Xmx128m
[Install]
WantedBy=multi-user.target
Then:
sudo systemctl daemon-reload
sudo systemctl enable keycloak
sudo systemctl start keycloak
Your Keycloak is now running securely behind NGINX with SSL termination and using MariaDB as backend storage.
Did this guide save you time?
Support this site