Configuring Methaq for Production
إعداد TLS، الوكيل العكسي، قاعدة البيانات، والتخزين المؤقت لبيئة الإنتاج المؤسسية.
في الإنتاج، يجب أن تكون جميع الاتصالات مشفرة. ميثاق يدعم TLS termination على مستويين:
# Start Methaq with HTTPS directly
bin/kc.sh start \
--https-certificate-file=/etc/methaq/tls/fullchain.pem \
--https-certificate-key-file=/etc/methaq/tls/privkey.pem \
--https-port=8443 \
--https-enabled=trueهذه هي الطريقة المفضلة للإنتاج — Nginx يتولى TLS على edge:
# /etc/nginx/sites-available/your-methaq-domain
server {
listen 443 ssl http2;
server_name your-methaq-domain;
ssl_certificate /etc/letsencrypt/live/your-methaq-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-methaq-domain/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}# Install certbot
sudo apt-get install -y certbot python3-certbot-nginx
# Obtain certificate
sudo certbot --nginx -d your-methaq-domain
# Auto-renewal (already configured by certbot)
sudo systemctl status certbot.timerفي البنية الإنتاجية، يعمل Nginx كـ reverse proxy أمام خادم الهوية. إليك التكوين الكامل:
# /etc/nginx/sites-available/your-methaq-domain
server {
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
server_name your-methaq-domain;
ssl_certificate /etc/letsencrypt/live/your-methaq-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-methaq-domain/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
proxy_pass http://YOUR_INTERNAL_IP:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host your-methaq-domain;
proxy_ssl_verify off;
}
} # Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Proxy headers
proxy_set_header X-Forwarded-Port 443;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_buffering off;# /etc/nginx/nginx.conf
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=10r/s;
# Then in server block:
limit_req zone=auth_limit burst=20 nodelay;يجب تكوين hostname العام (public-facing) بشكل صحيح حتى تعمل OIDC discovery:
bin/kc.sh start \
--hostname=your-methaq-domain \
--hostname-strict=false \
--hostname-strict-backchannel=false \
--proxy edge| Parameter | القيمة | السبب |
|---|---|---|
hostname | your-methaq-domain | يظهر في tokens و discovery metadata |
proxy | edge | Nginx في front — يحترم X-Forwarded-Proto |
hostname-strict | false | يسمح بـ HTTP (للوكيل) |
hostname-strict-backchannel | false | يسمح بـ backchannel callbacks |
قاعدة بيانات PostgreSQL هي الخيار الموصى به للإنتاج:
# Ubuntu/Debian
sudo apt-get install -y postgresql-15
# Start and enable
sudo systemctl enable postgresql
sudo systemctl start postgresql
# Create database and user
sudo -u postgres psql << 'EOF'
CREATE DATABASE methaq;
CREATE USER methaq WITH PASSWORD 'your_secure_db_password';
GRANT ALL PRIVILEGES ON DATABASE methaq TO methaq;
c methaq
GRANT ALL ON SCHEMA public TO methaq;
ALTER DATABASE methaq SET search_path = "$user", public;
EOFbin/kc.sh start \
--db=postgres \
--db-url=jdbc:postgresql://localhost:5432/methaq \
--db-username=methaq \
--db-password=your_secure_db_password \
--db-pool-vendor=hikari
# Connection pool tuning (for production)
--db-pool-min-size=5
--db-pool-max-size=20
--db-pool-initial-size=10# /etc/postgresql/15/main/postgresql.conf
# Memory
shared_buffers = 256MB
effective_cache_size = 1GB
work_mem = 64MB
maintenance_work_mem = 128MB
# Write Ahead Log
wal_buffers = 64MB
checkpoint_completion_target = 0.9
# Parallel queries
max_worker_processes = 4
max_parallel_workers_per_gather = 2
max_parallel_workers = 4
# Connections
max_connections = 100Infinispan provides distributed caching for HA deployments with multiple Methaq instances:
bin/kc.sh start \
--cache-stack=ispn \
--cache-ispn-config-file=/etc/methaq/infinispan.xml<?xml version="1.0"?>
<infinispan>
<jgroups>
<stack name="tcp" extends="default">
<TCP bind_port="7800"/>
<MPING mcast_port="54200"/>
</stack>
</jgroups>
<cache-container name="methaq" default-cache="dist">
<transport stack="tcp"/>
<distributed-cache name="sessions"
mode="ASYNC"
owners="2"
segments="256">
<expiration lifespan="-1"/>
</distributed-cache>
<distributed-cache name="clientSessions"
mode="ASYNC"
owners="2">
<expiration lifespan="-1"/>
</distributed-cache>
<distributed-cache name="actionTokens"
mode="SYNC"
owners="2">
<expiration lifespan="86400000"/>
</distributed-cache>
</cache-container>
</infinispan>bin/kc.sh start \
--cache-stack=redis \
--db-url=<Redis connection URL>إذا كان ميثاق يتصل بخدمات خارجية عبر TLS (LDAP, OIDC IdP, APIs)، قد تحتاج إضافة شهاداتها إلى truststore:
# Import certificate to Java truststore
keytool -import \
-trustcacerts \
-alias ldap-company-com \
-file /tmp/ldap-company-com.crt \
-keystore /etc/methaq/truststore.jks \
-storepass changeit
# Configure Methaq to use truststore
bin/kc.sh start \
--https-trust-store-file=/etc/methaq/truststore.jks \
--https-trust-store-password=changeit \
--https-trust-store-type=JKS# Convert to PKCS12
openssl pkcs12 -export \
-in server.crt \
-inkey server.key \
-out keystore.p12 \
-name server
keytool -importkeystore \
-srckeystore keystore.p12 \
-srcstoretype PKCS12 \
-destkeystore truststore.p12 \
-deststoretype PKCS12 \
-srcstorepass password \
-deststorepass password