Hello I am trying to test Docker compose with Caddy for reverse proxy and continue to get errors I do not understand.
I am hoping someone can help point me in the right direction.
Thank you
# docker logs identity
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v3.3.13)
2025-08-27 14:33:16.148 INFO 1 --- [ main] i.c.i.Application : Starting Application using Java 17.0.16 with PID 1 (/app/identity.jar started by camunda in /app)
2025-08-27 14:33:16.162 INFO 1 --- [ main] i.c.i.Application : The following 1 profile is active: "keycloak"
2025-08-27 14:33:24.404 WARN 1 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'globalMethodSecurityConfig' of type [io.camunda.identity.security.config.GlobalMethodSecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected/applied to a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies/advisors. If this bean does not have to be post-processed, declare it with ROLE_INFRASTRUCTURE.
2025-08-27 14:33:28.542 WARN 1 --- [ main] i.c.i.c.AppConfig : Expected a valid license but encountered an invalid one instead. Please check the license key and try again.
2025-08-27 14:33:34.337 INFO 1 --- [ main] i.c.i.Application : Started Application in 22.21 seconds (process running for 25.655)
# docker-compose.yaml
# While the Docker images themselves are supported for production usage,
# this docker-compose.yaml is designed to be used by developers to run
# an environment locally. It is not designed to be used in production.
# We recommend to use Kubernetes in production with our Helm Charts:
# https://docs.camunda.io/docs/self-managed/setup/install/
# For local development, we recommend using KIND instead of `docker-compose`:
# https://docs.camunda.io/docs/self-managed/platform-deployment/helm-kubernetes/guides/local-kubernetes-cluster/
# This is a full configuration with Zeebe, Operate, Tasklist, Optimize, Identity, Keycloak, Elasticsearch and Web Modeler.
# See docker-compose-core.yml for a lightweight configuration that does not include Optimize, Identity, and Keycloak.
services:
caddy:
image: caddy:2-alpine
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
networks:
- camunda-platform
- identity-network
- web-modeler
depends_on:
- zeebe
- operate
- tasklist
- optimize
- identity
- keycloak
- web-modeler-webapp
- web-modeler-restapi
- web-modeler-websockets
- connectors
zeebe: # https://docs.camunda.io/docs/self-managed/platform-deployment/docker/#zeebe
image: camunda/zeebe:${CAMUNDA_ZEEBE_VERSION}
container_name: zeebe
ports:
- "26500:26500"
- "9600:9600"
- "8088:8080"
environment: # https://docs.camunda.io/docs/self-managed/zeebe-deployment/configuration/environment-variables/
- ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_MODE=${ZEEBE_AUTHENTICATION_MODE}
- ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_ISSUERBACKENDURL=http://keycloak:18080/auth/realms/camunda-platform
- ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_AUDIENCE=zeebe-api
- ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_BASEURL=http://identity:8084
- ZEEBE_BROKER_GATEWAY_MULTITENANCY_ENABLED=${MULTI_TENANCY_ENABLED}
- ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_CLASSNAME=io.camunda.zeebe.exporter.ElasticsearchExporter
- ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_URL=http://elasticsearch:9200
# default is 1000, see here: https://github.com/camunda/zeebe/blob/main/exporters/elasticsearch-exporter/src/main/java/io/camunda/zeebe/exporter/ElasticsearchExporterConfiguration.java#L259
- ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_BULK_SIZE=1
# allow running with low disk space
- ZEEBE_BROKER_DATA_DISKUSAGECOMMANDWATERMARK=0.998
- ZEEBE_BROKER_DATA_DISKUSAGEREPLICATIONWATERMARK=0.999
- CAMUNDA_DATABASE_URL=http://elasticsearch:9200
- CAMUNDA_IDENTITY_ISSUERBACKENDURL=http://keycloak:18080/auth/realms/camunda-platform
- CAMUNDA_IDENTITY_BASEURL=http://identity:8084
- CAMUNDA_IDENTITY_AUDIENCE=zeebe-api
- SPRING_PROFILES_ACTIVE=identity-auth
- "JAVA_TOOL_OPTIONS=-Xms512m -Xmx512m"
- management.endpoints.web.exposure.include=health,info,metrics,prometheus,configprops
- MANAGEMENT_ENDPOINT_CONFIGPROPS_SHOW_VALUES=ALWAYS
env_file:
- path: .env
required: true
restart: always
healthcheck:
test: ["CMD-SHELL", "timeout 10s bash -c ':> /dev/tcp/127.0.0.1/9600' || exit 1"]
interval: 30s
timeout: 5s
retries: 5
start_period: 30s
volumes:
- zeebe:/usr/local/zeebe/data
networks:
- camunda-platform
depends_on:
- elasticsearch
- identity
operate: # https://docs.camunda.io/docs/self-managed/platform-deployment/docker/#operate
image: camunda/operate:${CAMUNDA_OPERATE_VERSION}
container_name: operate
environment: # https://docs.camunda.io/docs/self-managed/operate-deployment/configuration/
- CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS=zeebe:26500
- ZEEBE_CLIENT_ID=${ZEEBE_CLIENT_ID}
- ZEEBE_CLIENT_SECRET=${ZEEBE_CLIENT_SECRET}
- ZEEBE_TOKEN_AUDIENCE=zeebe-api
- ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:18080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_OPERATE_ELASTICSEARCH_URL=http://elasticsearch:9200
- CAMUNDA_OPERATE_ZEEBEELASTICSEARCH_URL=http://elasticsearch:9200
# For more information regarding configuration with Identity see:
# https://docs.camunda.io/docs/self-managed/operate-deployment/authentication/#identity
- SPRING_PROFILES_ACTIVE=identity-auth
- CAMUNDA_OPERATE_IDENTITY_BASEURL=http://identity:8084
- CAMUNDA_OPERATE_IDENTITY_ISSUER_URL=https://${HOST}/auth/realms/camunda-platform
- CAMUNDA_OPERATE_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:18080/auth/realms/camunda-platform
- CAMUNDA_OPERATE_IDENTITY_CLIENTID=operate
- CAMUNDA_OPERATE_IDENTITY_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
- CAMUNDA_OPERATE_IDENTITY_AUDIENCE=operate-api
- CAMUNDA_OPERATE_MULTITENANCY_ENABLED=${MULTI_TENANCY_ENABLED}
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://${HOST}/auth/realms/camunda-platform
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://${HOST}/auth/realms/camunda-platform/protocol/openid-connect/certs
- CAMUNDA_OPERATE_IDENTITY_RESOURCEPERMISSIONSENABLED=${RESOURCE_AUTHORIZATIONS_ENABLED}
- CAMUNDA_DATABASE_URL=http://elasticsearch:9200
- management.endpoints.web.exposure.include=health,info,metrics,prometheus,configprops
- MANAGEMENT_ENDPOINT_CONFIGPROPS_SHOW_VALUES=ALWAYS
- management.endpoint.health.probes.enabled=true
- ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache
healthcheck:
test: ["CMD-SHELL", "wget -O - -q 'http://localhost:8080/actuator/health/readiness'"]
interval: 30s
timeout: 1s
retries: 5
start_period: 30s
volumes:
- operate_tmp:/tmp
networks:
- camunda-platform
depends_on:
- zeebe
- identity
- elasticsearch
tasklist: # https://docs.camunda.io/docs/self-managed/platform-deployment/docker/#tasklist
image: camunda/tasklist:${CAMUNDA_TASKLIST_VERSION}
container_name: tasklist
environment: # https://docs.camunda.io/docs/self-managed/tasklist-deployment/configuration/
- CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS=zeebe:26500
- CAMUNDA_TASKLIST_ZEEBE_RESTADDRESS=http://zeebe:8080
- ZEEBE_CLIENT_ID=${ZEEBE_CLIENT_ID}
- ZEEBE_CLIENT_SECRET=${ZEEBE_CLIENT_SECRET}
- ZEEBE_CLIENT_CONFIG_PATH=/tmp/zeebe_auth_cache
- ZEEBE_TOKEN_AUDIENCE=zeebe-api
- ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:18080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_TASKLIST_ELASTICSEARCH_URL=http://elasticsearch:9200
- CAMUNDA_TASKLIST_ZEEBEELASTICSEARCH_URL=http://elasticsearch:9200
# For more information regarding configuration with Identity see:
# https://docs.camunda.io/docs/self-managed/tasklist-deployment/authentication/#identity
- SPRING_PROFILES_ACTIVE=identity-auth
- CAMUNDA_TASKLIST_IDENTITY_BASEURL=http://identity:8084
- CAMUNDA_TASKLIST_IDENTITY_ISSUER_URL=https://${HOST}/auth/realms/camunda-platform
- CAMUNDA_TASKLIST_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:18080/auth/realms/camunda-platform
- CAMUNDA_TASKLIST_IDENTITY_CLIENTID=tasklist
- CAMUNDA_TASKLIST_IDENTITY_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
- CAMUNDA_TASKLIST_IDENTITY_AUDIENCE=tasklist-api
- CAMUNDA_TASKLIST_MULTITENANCY_ENABLED=${MULTI_TENANCY_ENABLED}
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://${HOST}/auth/realms/camunda-platform
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://${HOST}/auth/realms/camunda-platform/protocol/openid-connect/certs
- CAMUNDA_TASKLIST_IDENTITY_RESOURCE_PERMISSIONS_ENABLED=${RESOURCE_AUTHORIZATIONS_ENABLED}
- CAMUNDA_DATABASE_URL=http://elasticsearch:9200
- management.endpoints.web.exposure.include=health,info,metrics,prometheus,configprops
- MANAGEMENT_ENDPOINT_CONFIGPROPS_SHOW_VALUES=ALWAYS
- management.endpoint.health.probes.enabled=true
env_file:
- path: .env
required: true
healthcheck:
test: ["CMD-SHELL", "wget -O - -q 'http://localhost:8080/actuator/health/readiness'"]
interval: 30s
timeout: 1s
retries: 5
start_period: 30s
volumes:
- tasklist_tmp:/tmp
networks:
- camunda-platform
depends_on:
zeebe:
condition: service_started
elasticsearch:
condition: service_healthy
identity:
condition: service_healthy
connectors: # https://docs.camunda.io/docs/components/integration-framework/connectors/out-of-the-box-connectors/available-connectors-overview/
image: camunda/connectors-bundle:${CAMUNDA_CONNECTORS_VERSION}
container_name: connectors
environment:
# Zeebe connection
- CAMUNDA_CLIENT_MODE=self-managed
- CAMUNDA_CLIENT_ZEEBE_RESTADDRESS=http://zeebe:8080
- CAMUNDA_CLIENT_ZEEBE_GRPCADDRESS=http://zeebe:26500
- CAMUNDA_CLIENT_AUTH_ISSUER=http://keycloak:18080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_CLIENT_AUTH_CLIENTID=${ZEEBE_CLIENT_ID}
- CAMUNDA_CLIENT_AUTH_CLIENTSECRET=${ZEEBE_CLIENT_SECRET}
- CAMUNDA_CLIENT_AUTH_CREDENTIALSCACHEPATH=/tmp/zeebe_auth_cache
- CAMUNDA_CLIENT_ZEEBE_AUDIENCE=zeebe-api
# Operate connection
- OPERATE_CLIENT_BASEURL=http://operate:8080
- OPERATE_CLIENT_AUTHURL=http://keycloak:18080/auth/realms/camunda-platform/protocol/openid-connect/token
- OPERATE_CLIENT_AUDIENCE=operate-api
- OPERATE_CLIENT_PROFILE=oidc
- OPERATE_CLIENT_CLIENTID=connectors
- OPERATE_CLIENT_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
# management configuration
- management.endpoints.web.exposure.include=health,info,metrics,prometheus,configprops
- MANAGEMENT_ENDPOINT_CONFIGPROPS_SHOW_VALUES=ALWAYS
- management.endpoint.health.probes.enabled=true
env_file: connector-secrets.txt
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:8080/actuator/health/readiness"]
interval: 30s
timeout: 1s
retries: 5
start_period: 30s
networks:
- camunda-platform
depends_on:
- zeebe
- operate
- identity
optimize: # https://docs.camunda.io/docs/self-managed/platform-deployment/docker/#optimize
image: camunda/optimize:${CAMUNDA_OPTIMIZE_VERSION}
container_name: optimize
environment: # https://docs.camunda.io/docs/self-managed/optimize-deployment/setup/installation/#available-environment-variables
- OPTIMIZE_ELASTICSEARCH_HOST=elasticsearch
- OPTIMIZE_ELASTICSEARCH_HTTP_PORT=9200
- SPRING_PROFILES_ACTIVE=ccsm
- CAMUNDA_OPTIMIZE_ZEEBE_ENABLED=true
- CAMUNDA_OPTIMIZE_ENTERPRISE=false
- CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_URL=https://${HOST}/auth/realms/camunda-platform
- CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:18080/auth/realms/camunda-platform
- CAMUNDA_OPTIMIZE_IDENTITY_CLIENTID=optimize
- CAMUNDA_OPTIMIZE_IDENTITY_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
- CAMUNDA_OPTIMIZE_IDENTITY_AUDIENCE=optimize-api
- CAMUNDA_OPTIMIZE_IDENTITY_BASE_URL=http://identity:8084
- CAMUNDA_OPTIMIZE_MULTITENANCY_ENABLED=${MULTI_TENANCY_ENABLED}
- CAMUNDA_OPTIMIZE_SECURITY_AUTH_COOKIE_SAME_SITE_ENABLED=false
- CAMUNDA_OPTIMIZE_UI_LOGOUT_HIDDEN=true
- management.endpoints.web.exposure.include=health
- management.endpoint.health.probes.enabled=true
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:8090/api/readyz"]
interval: 30s
timeout: 1s
retries: 5
start_period: 30s
volumes:
- "./.optimize/environment-config.yaml:/optimize/config/environment-config.yaml"
restart: on-failure
networks:
- camunda-platform
depends_on:
- identity
- elasticsearch
identity: # https://docs.camunda.io/docs/self-managed/platform-deployment/docker/#identity
container_name: identity
image: camunda/identity:${CAMUNDA_IDENTITY_VERSION}
environment: # https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/
SERVER_PORT: 8084
IDENTITY_RETRY_DELAY_SECONDS: 30
IDENTITY_URL: https://${HOST}/identity
KEYCLOAK_URL: http://keycloak:18080/auth
IDENTITY_AUTH_PROVIDER_ISSUER_URL: https://${HOST}/auth/realms/camunda-platform
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://keycloak:18080/auth/realms/camunda-platform
IDENTITY_DATABASE_HOST: postgres
IDENTITY_DATABASE_PORT: 5432
IDENTITY_DATABASE_NAME: bitnami_keycloak
IDENTITY_DATABASE_USERNAME: bn_keycloak
IDENTITY_DATABASE_PASSWORD: "#3]O?4RGj)DE7Z!9SA5"
KEYCLOAK_INIT_OPERATE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_OPERATE_ROOT_URL: https://${HOST}/operate
KEYCLOAK_INIT_TASKLIST_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_TASKLIST_ROOT_URL: https://${HOST}/tasklist
KEYCLOAK_INIT_OPTIMIZE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: https://${HOST}/optimize
KEYCLOAK_INIT_WEBMODELER_ROOT_URL: https://${HOST}/modeler
KEYCLOAK_INIT_CONNECTORS_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_CONNECTORS_ROOT_URL: https://${HOST}/connectors
KEYCLOAK_INIT_ZEEBE_NAME: zeebe
KEYCLOAK_USERS_0_USERNAME: "demo"
KEYCLOAK_USERS_0_PASSWORD: "demo"
KEYCLOAK_USERS_0_FIRST_NAME: "demo"
KEYCLOAK_USERS_0_EMAIL: "demo@acme.com"
KEYCLOAK_USERS_0_ROLES_0: "Identity"
KEYCLOAK_USERS_0_ROLES_1: "Optimize"
KEYCLOAK_USERS_0_ROLES_2: "Operate"
KEYCLOAK_USERS_0_ROLES_3: "Tasklist"
KEYCLOAK_USERS_0_ROLES_4: "Web Modeler"
KEYCLOAK_USERS_0_ROLES_5: "Web Modeler Admin"
KEYCLOAK_USERS_0_ROLES_6: "Zeebe"
KEYCLOAK_CLIENTS_0_NAME: zeebe
KEYCLOAK_CLIENTS_0_ID: ${ZEEBE_CLIENT_ID}
KEYCLOAK_CLIENTS_0_SECRET: ${ZEEBE_CLIENT_SECRET}
KEYCLOAK_CLIENTS_0_TYPE: M2M
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_RESOURCE_SERVER_ID: zeebe-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_DEFINITION: write:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_1_RESOURCE_SERVER_ID: operate-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_1_DEFINITION: write:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_2_RESOURCE_SERVER_ID: tasklist-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_2_DEFINITION: write:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_3_RESOURCE_SERVER_ID: optimize-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_3_DEFINITION: write:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_4_RESOURCE_SERVER_ID: tasklist-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_4_DEFINITION: read:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_5_RESOURCE_SERVER_ID: operate-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_5_DEFINITION: read:*
MULTITENANCY_ENABLED: ${MULTI_TENANCY_ENABLED}
RESOURCE_PERMISSIONS_ENABLED: ${RESOURCE_AUTHORIZATIONS_ENABLED}
healthcheck:
test: ["CMD", "wget", "-q", "--tries=1", "--spider", "http://localhost:8084/actuator/health"]
interval: 5s
timeout: 15s
retries: 30
start_period: 60s
restart: on-failure
volumes:
- keycloak-theme:/app/keycloak-theme
networks:
- camunda-platform
- identity-network
depends_on:
keycloak:
condition: service_healthy
postgres: # https://hub.docker.com/_/postgres
container_name: postgres
image: postgres:${POSTGRES_VERSION}
environment:
POSTGRES_DB: bitnami_keycloak
POSTGRES_USER: bn_keycloak
POSTGRES_PASSWORD: "#3]O?4RGj)DE7Z!9SA5"
restart: on-failure
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
interval: 10s
timeout: 5s
retries: 5
volumes:
- postgres:/var/lib/postgresql/data
networks:
- identity-network
keycloak: # https://hub.docker.com/r/bitnamilegacy/keycloak
container_name: keycloak
image: bitnamilegacy/keycloak:${KEYCLOAK_SERVER_VERSION}
volumes:
- keycloak-theme:/opt/bitnami/keycloak/themes/identity
environment:
KEYCLOAK_HTTP_PORT: 18080
KEYCLOAK_HTTP_RELATIVE_PATH: /auth
KEYCLOAK_DATABASE_HOST: postgres
KEYCLOAK_DATABASE_PASSWORD: "#3]O?4RGj)DE7Z!9SA5"
KEYCLOAK_ADMIN_USER: admin
KEYCLOAK_ADMIN_PASSWORD: admin
KEYCLOAK_PROXY: edge
KEYCLOAK_HOSTNAME: ${HOST}
KEYCLOAK_HOSTNAME_STRICT: false
KEYCLOAK_HOSTNAME_STRICT_HTTPS: false
KEYCLOAK_FRONTEND_URL: https://${HOST}/auth
restart: on-failure
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:18080/auth"]
interval: 30s
timeout: 15s
retries: 5
start_period: 30s
networks:
- camunda-platform
- identity-network
depends_on:
- postgres
elasticsearch: # https://hub.docker.com/_/elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
container_name: elasticsearch
ports:
- "9200:9200"
- "9300:9300"
environment:
- bootstrap.memory_lock=true
- discovery.type=single-node
- xpack.security.enabled=false
# allow running with low disk space
- cluster.routing.allocation.disk.threshold_enabled=false
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
restart: always
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:9200/_cat/health | grep -q green"]
interval: 30s
timeout: 5s
retries: 3
volumes:
- elastic:/usr/share/elasticsearch/data
networks:
- camunda-platform
web-modeler-db:
container_name: web-modeler-db
image: postgres:${POSTGRES_VERSION}
healthcheck:
test: pg_isready -d web-modeler-db -U web-modeler-db-user
interval: 5s
timeout: 15s
retries: 30
environment:
POSTGRES_DB: web-modeler-db
POSTGRES_USER: web-modeler-db-user
POSTGRES_PASSWORD: web-modeler-db-password
networks:
- web-modeler
volumes:
- postgres-web:/var/lib/postgresql/data
mailpit:
# If you want to use your own SMTP server, you can remove this container
# and configure RESTAPI_MAIL_HOST, RESTAPI_MAIL_PORT, REST_API_MAIL_USER,
# REST_API_MAIL_PASSWORD and RESTAPI_MAIL_ENABLE_TLS in web-modeler-restapi
container_name: mailpit
image: axllent/mailpit:${MAILPIT_VERSION}
ports:
- "1025:1025"
- "8075:8025"
healthcheck:
test: /usr/bin/nc -v localhost 1025
interval: 30s
networks:
- web-modeler
web-modeler-restapi:
container_name: web-modeler-restapi
image: camunda/web-modeler-restapi:${CAMUNDA_WEB_MODELER_VERSION}
depends_on:
web-modeler-db:
condition: service_healthy
mailpit:
condition: service_started
identity:
condition: service_healthy
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8091/health/readiness"]
interval: 5s
timeout: 15s
retries: 30
environment:
JAVA_OPTIONS: -Xmx512m
LOGGING_LEVEL_IO_CAMUNDA_MODELER: DEBUG
CAMUNDA_IDENTITY_BASEURL: http://identity:8084/
SPRING_DATASOURCE_URL: jdbc:postgresql://web-modeler-db:5432/web-modeler-db
SPRING_DATASOURCE_USERNAME: web-modeler-db-user
SPRING_DATASOURCE_PASSWORD: web-modeler-db-password
SPRING_PROFILES_INCLUDE: default-logging
RESTAPI_PUSHER_HOST: web-modeler-websockets
RESTAPI_PUSHER_PORT: "8060"
RESTAPI_PUSHER_APP_ID: web-modeler-app
RESTAPI_PUSHER_KEY: web-modeler-app-key
RESTAPI_PUSHER_SECRET: web-modeler-app-secret
RESTAPI_OAUTH2_TOKEN_ISSUER: https://${HOST}/auth/realms/camunda-platform
RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL: http://keycloak:18080/auth/realms/camunda-platform
RESTAPI_SERVER_URL: https://${HOST}
RESTAPI_MAIL_HOST: mailpit
RESTAPI_MAIL_PORT: 1025
RESTAPI_MAIL_ENABLE_TLS: "false"
RESTAPI_MAIL_FROM_ADDRESS: "noreply@example.com"
CAMUNDA_MODELER_CLUSTERS_0_ID: "local-zeebe"
CAMUNDA_MODELER_CLUSTERS_0_NAME: "Local Zeebe instance"
CAMUNDA_MODELER_CLUSTERS_0_VERSION: ${CAMUNDA_ZEEBE_VERSION}
CAMUNDA_MODELER_CLUSTERS_0_URL_ZEEBE_GRPC: grpc://zeebe:26500
CAMUNDA_MODELER_CLUSTERS_0_URL_ZEEBE_REST: http://zeebe:8080
CAMUNDA_MODELER_CLUSTERS_0_URL_OPERATE: http://operate:8080
CAMUNDA_MODELER_CLUSTERS_0_URL_TASKLIST: http://tasklist:8080
# extra cluster configuration depending on the authentication mode
env_file: ./.web-modeler/cluster-config-authentication-mode-${ZEEBE_AUTHENTICATION_MODE}.env
networks:
- web-modeler
- camunda-platform
web-modeler-webapp:
container_name: web-modeler-webapp
image: camunda/web-modeler-webapp:${CAMUNDA_WEB_MODELER_VERSION}
depends_on:
web-modeler-restapi:
condition: service_healthy
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8070/health/readiness"]
interval: 5s
timeout: 15s
retries: 30
environment:
RESTAPI_HOST: web-modeler-restapi
RESTAPI_PORT: 8091
SERVER_HTTPS_ONLY: "false"
SERVER_URL: https://${HOST}/modeler
PUSHER_APP_ID: web-modeler-app
PUSHER_KEY: web-modeler-app-key
PUSHER_SECRET: web-modeler-app-secret
PUSHER_HOST: web-modeler-websockets
PUSHER_PORT: "8060"
CLIENT_PUSHER_HOST: ${HOST}
CLIENT_PUSHER_PORT: "443"
CLIENT_PUSHER_FORCE_TLS: "true"
CLIENT_PUSHER_KEY: web-modeler-app-key
OAUTH2_CLIENT_ID: web-modeler
OAUTH2_JWKS_URL: https://${HOST}/auth/realms/camunda-platform/protocol/openid-connect/certs
OAUTH2_TOKEN_AUDIENCE: web-modeler-api
OAUTH2_TOKEN_ISSUER: https://${HOST}/auth/realms/camunda-platform
IDENTITY_BASE_URL: http://identity:8084/
PLAY_ENABLED: "true"
networks:
- web-modeler
- camunda-platform
web-modeler-websockets:
container_name: web-modeler-websockets
image: camunda/web-modeler-websockets:${CAMUNDA_WEB_MODELER_VERSION}
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8060/up"]
interval: 5s
timeout: 15s
retries: 30
environment:
APP_NAME: "Web Modeler Self-Managed WebSockets"
APP_DEBUG: "true"
PUSHER_APP_ID: web-modeler-app
PUSHER_APP_KEY: web-modeler-app-key
PUSHER_APP_SECRET: web-modeler-app-secret
networks:
- web-modeler
volumes:
zeebe:
elastic:
postgres:
keycloak-theme:
operate_tmp:
tasklist_tmp:
postgres-web:
caddy_data:
caddy_config:
networks:
# Note there are three bridge networks: One for Camunda Platform, one for Identity and one for Web Modeler.
# Identity and Keycloak are part of the first two as they need to be accessible by platform components.
# Web Modeler has its own network because it consists of three components that communicate with each other.
# It is also part of the canunda-platform network to communicate with the platform components like Zeebe to run
# processes or Identity to log in.
camunda-platform:
identity-network:
web-modeler:
# Caddyfile for Camunda 8.7 with proper routing
sub.domain.tld {
# Handles HTTPS automatically
# Root redirect to Web Modeler
redir / /modeler
# Web Modeler WebSockets - must come first for proper routing
handle /websockets/* {
reverse_proxy web-modeler-websockets:8060 {
header_up Upgrade {http_request_header.Upgrade}
header_up Connection {http_request_header.Connection}
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
}
}
# Web Modeler webapp
handle_path /modeler/* {
reverse_proxy web-modeler-webapp:8070 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
header_up X-Forwarded-For {http_request_header.X-Forwarded-For}
}
}
# Web Modeler REST API
handle_path /modeler-api/* {
reverse_proxy web-modeler-restapi:8091 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
}
}
# Keycloak - must come before /auth/* patterns
handle_path /auth/* {
reverse_proxy keycloak:18080 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
header_up X-Forwarded-Port 443
}
}
# Identity service
handle_path /identity/* {
reverse_proxy identity:8084 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
}
}
# Operate
handle_path /operate/* {
reverse_proxy operate:8080 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
}
}
# Tasklist
handle_path /tasklist/* {
reverse_proxy tasklist:8080 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
}
}
# Optimize
handle_path /optimize/* {
reverse_proxy optimize:8090 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
}
}
# Connectors
handle_path /connectors/* {
reverse_proxy connectors:8080 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
}
}
# Zeebe Gateway (if needed for external access)
handle_path /zeebe-api/* {
reverse_proxy zeebe:8080 {
header_up Host {http_host}
header_up X-Forwarded-Proto {http_request_scheme}
header_up X-Forwarded-Ssl on
}
}
}
# Redirect HTTP to HTTPS
http://sub.domain.tld {
redir https://{host}{uri}
}