开源零信任本地化部署实战指南:Keycloak + OpenZiti 完整方案
一、方案概述
本方案为中小企业提供完全本地化的开源零信任架构,核心组件包括:
- Keycloak:统一身份认证与访问管理(IAM)
- OpenZiti:零信任网络覆盖与策略执行
- PostgreSQL:高可用数据存储
- Nginx:反向代理与SSL终端
架构优势
- 🔒 数据不出域:所有组件部署在本地基础设施
- 💰 零许可成本:完全基于开源软件
- 🛡️ 强安全性:遵循"永不信任,始终验证"原则
- 📦 易维护:容器化部署,标准化配置
二、环境准备
硬件要求
组件 | 最低配置 | 生产环境推荐 |
控制节点 | 4核CPU/8GB RAM/100GB存储 | 8核CPU/16GB RAM/200GB SSD |
边缘节点 | 2核CPU/4GB RAM/50GB存储 | 4核CPU/8GB RAM/100GB SSD |
网络 | 千兆局域网 | 万兆骨干+冗余链路 |
软件要求
- 操作系统:Ubuntu 22.04 LTS / CentOS 8+
- 依赖组件:OpenJDK 17, PostgreSQL 14+, Nginx 1.18+
- 网络要求:DNS解析、SSL证书、固定IP地址
三、快速部署脚本
#!/bin/bash
# 零信任一键部署脚本 - ZeroTrust Deployer v2.0
set -e
# 配置区
export DOMAIN="zt.yourcompany.com"
export KEYCLOAK_ADMIN_PWD="$(openssl rand -base64 16)"
export ZITI_ADMIN_PWD="$(openssl rand -base64 16)"
export DB_PASSWORD="$(openssl rand -base64 16)"
export INSTALL_DIR="/opt/zero-trust"
echo "🚀 开始部署零信任平台..."
mkdir -p ${INSTALL_DIR}/{keycloak,ziti}
# 安装依赖
apt update && apt install -y openjdk-17-jdk postgresql nginx certbot python3-certbot-nginx
# 配置数据库
sudo -u postgres psql -c "CREATE DATABASE keycloak;"
sudo -u postgres psql -c "CREATE USER keycloak WITH PASSWORD '${DB_PASSWORD}';"
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;"
# 部署Keycloak
wget -qP /tmp https://github.com/keycloak/keycloak/releases/download/24.0.1/keycloak-24.0.1.tar.gz
tar -xzf /tmp/keycloak-*.tar.gz -C ${INSTALL_DIR}/keycloak --strip-components=1
cat > ${INSTALL_DIR}/keycloak/conf/keycloak.conf << EOF
db=postgres
db-username=keycloak
db-password=${DB_PASSWORD}
db-url=jdbc:postgresql://localhost:5432/keycloak
hostname=${DOMAIN}
http-enabled=false
https-port=8443
proxy=edge
features=admin-fine-grained-authz
EOF
# 部署OpenZiti
ZITI_VER="0.32.13"
ARCH=$(uname -m | sed 's/x86_64/amd64/')
wget -qO ${INSTALL_DIR}/ziti/controller/ziti-controller \
https://github.com/openziti/ziti/releases/download/v${ZITI_VER}/ziti-controller-linux-${ARCH}
wget -qO ${INSTALL_DIR}/ziti/router/ziti-router \
https://github.com/openziti/ziti/releases/download/v${ZITI_VER}/ziti-router-linux-${ARCH}
chmod +x ${INSTALL_DIR}/ziti/*/ziti-*
# 初始化OpenZiti
sudo -u ziti ${INSTALL_DIR}/ziti/controller/ziti-controller edge init \
--username admin --password "${ZITI_ADMIN_PWD}" \
--database "postgres://ziti:${DB_PASSWORD}@localhost:5432/ziti" \
-j ${INSTALL_DIR}/ziti/controller/initial.jwt
# 配置系统服务
cat > /etc/systemd/system/keycloak.service << EOF
[Unit]
Description=Keycloak Identity Server
After=network.target postgresql.service
[Service]
User=keycloak
Group=keycloak
ExecStart=${INSTALL_DIR}/keycloak/bin/kc.sh start --optimized
WorkingDirectory=${INSTALL_DIR}/keycloak
Restart=always
RestartSec=30
Environment="KEYCLOAK_ADMIN=admin"
Environment="KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PWD}"
[Install]
WantedBy=multi-user.target
EOF
# 启动服务
systemctl daemon-reload
systemctl enable --now keycloak ziti-controller ziti-router nginx postgresql
echo "✅ 部署完成!"
echo "📝 访问信息:"
echo " Keycloak控制台: https://${DOMAIN}"
echo " 用户名: admin"
echo " 密码: ${KEYCLOAK_ADMIN_PWD}"
echo " OpenZiti控制台: https://zt-controller.${DOMAIN}"
echo " 用户名: admin"
echo " 密码: ${ZITI_ADMIN_PWD}"
四、核心配置详解
1. Keycloak 领域配置
# 创建业务领域
ziti edge login ziti-controller.${DOMAIN}:443 -u admin -p ${ZITI_ADMIN_PWD}
ziti edge create identity user employee1 -o employee1.jwt
ziti edge create service-policy web-access Dial --identity-roles '@employees' --service-roles '@web-apps'
2. OpenZiti 服务策略
# configs/zero-trust-policies.yaml
services:
- name: internal-webapp
protocol: tcp
address: internal-webapp.company.local
port: 8080
policies:
- name: webapp-access
identities: ['@developers', '@qa-team']
conditions:
- device-compliance: true
- time: "9:00-17:00"
3. Nginx 安全配置
# /etc/nginx/sites-available/zero-trust
server {
listen 443 ssl;
server_name zt.yourcompany.com;
ssl_certificate /etc/letsencrypt/live/zt.yourcompany.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/zt.yourcompany.com/privkey.pem;
# 安全头部
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass https://localhost:8443;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
五、零信任策略配置
1. 身份认证策略
# 启用多因素认证
keycloak-config-cli.sh --config-file /opt/keycloak/config/mfa-config.json
# 配置设备合规性检查
ziti edge create config device-compliance-checker \
type="edge-router" \
data='{"api":"http://wazuh-server:55000","timeout":"10s"}'
2. 网络访问策略
# 创建微分段策略
ziti edge create service-policy database-access Dial \
--service-roles '@mysql-servers' \
--identity-roles '@dba-team' \
--semantic 'AllOf'
# 设置时间限制策略
ziti edge create service-policy business-hours Dial \
--service-roles '@business-apps' \
--identity-roles '@employees' \
--conditions '{"timeRange":{"days":["Mon","Tue","Wed","Thu","Fri"],"startTime":"08:00","endTime":"18:00"}}'
六、集成与扩展
1. 与企业AD集成
# 配置LDAP连接
keycloak-config-cli.sh --config-file /opt/keycloak/config/ldap-integration.json \
--vars.ldap.url="ldap://ad.company.local:389" \
--vars.ldap.bindDn="cn=admin,dc=company,dc=local"
2. 安全监控集成
# Prometheus监控配置
scrape_configs:
- job_name: 'keycloak'
metrics_path: '/auth/realms/master/metrics'
static_configs:
- targets: ['keycloak:8443']
- job_name: 'ziti-controller'
static_configs:
- targets: ['ziti-controller:1280']
七、故障排除指南
常见问题排查
# 1. 服务状态检查
systemctl status keycloak ziti-controller ziti-router
# 2. 日志分析
journalctl -u keycloak -f --since "5 minutes ago"
tail -f /opt/ziti/router/logs/router.log
# 3. 网络连通性
curl -kv https://zt.yourcompany.com/realms/master/.well-known/openid-configuration
ziti edge list edge-routers
# 4. 数据库诊断
sudo -u postgres psql -d keycloak -c "\dt+"
sudo -u postgres psql -d ziti -c "SELECT COUNT(*) FROM identities;"
性能调优参数
# Keycloak JVM调优
JAVA_OPTS="-Xms2G -Xmx4G -XX:MetaspaceSize=256M -XX:MaxMetaspaceSize=512m"
# OpenZiti数据库连接池
db:
pool:
maxOpenConns: 100
maxIdleConns: 20
connMaxLifetime: "30m"
八、安全加固措施
1. 基础设施安全
# 防火墙规则
ufw allow 443/tcp comment 'Keycloak HTTPS'
ufw allow 8443/tcp comment 'Keycloak Admin'
ufw allow 1280/tcp comment 'Ziti Controller'
ufw enable
# 文件系统权限
chmod 750 /opt/zero-trust
chown -R keycloak:keycloak /opt/zero-trust/keycloak
chown -R ziti:ziti /opt/zero-trust/ziti
2. 审计与监控
# 启用详细审计日志
cat >> /opt/keycloak/conf/keycloak.conf << EOF
log-level=INFO
log-handler=file:DEBUG
spi-events-listener-jboss-logging-success-level=INFO
spi-events-listener-jboss-logging-error-level=WARN
EOF
九、备份与恢复
1. 自动化备份脚本
#!/bin/bash
# 零信任平台备份脚本
BACKUP_DIR="/backup/zero-trust"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
# 备份数据库
pg_dump -U keycloak -d keycloak > ${BACKUP_DIR}/keycloak_db_${TIMESTAMP}.sql
pg_dump -U ziti -d ziti > ${BACKUP_DIR}/ziti_db_${TIMESTAMP}.sql
# 备份配置文件
tar -czf ${BACKUP_DIR}/configs_${TIMESTAMP}.tar.gz \
/opt/zero-trust/keycloak/conf \
/opt/zero-trust/ziti/controller/ctrl.yaml \
/opt/zero-trust/ziti/router/router.yaml
# 保留最近7天备份
find ${BACKUP_DIR} -name "*.sql" -mtime +7 -delete
find ${BACKUP_DIR} -name "*.tar.gz" -mtime +7 -delete
十、总结与最佳实践
成功关键因素
- 分阶段实施:从非关键业务开始试点,逐步推广
- 持续监控:建立完整的监控和告警体系
- 定期审计:每月审查访问日志和策略有效性
- 团队培训:确保IT团队掌握零信任理念和工具链
扩展建议
- 🔄 高可用部署:部署多节点Controller和Router集群
- 🌐 混合云支持:将Router部署到公有云实现混合云访问
- 🤖 自动化运维:使用Ansible/Terraform实现基础设施即代码
- 📊 可视化分析:集成ELK Stack进行安全日志分析