system/nginx/02/keycloak.conf

#########################################
## SECTION 1                           ##
## DEVELOPMENT / STAGING CONFIGURATION ##
#########################################

server {
	listen                  202.61.255.116:443 ssl http2;
	listen                  [2a03:4000:55:d20::]:443 ssl http2;

	server_name		auth.syscid.com sso.syscid.com;

	ssl_certificate 	/etc/ssl/syscid/orpheus.psyched.dev.crt;
	ssl_certificate_key	/etc/ssl/syscid/orpheus.psyched.dev.key;

#	location		/auth {
#		return		302 https://auth.syscid.com/auth/realms/master/account/;
#	}
#	location		/auth/realms/master/account/ {
#		proxy_pass	    https://10.0.0.10;
#		proxy_set_header    Host                $host;
#	        proxy_set_header    X-Real-IP           $remote_addr;
#	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
#	        proxy_set_header    X-Forwarded-Host    $host;
#	        proxy_set_header    X-Forwarded-Server  $host;
#	        proxy_set_header    X-Forwarded-Port    $server_port;
#	        proxy_set_header    X-Forwarded-Proto   $scheme;
#	}
	location		/ {
		proxy_pass	    https://10.0.0.10;
		proxy_set_header    Host                $host;
	        proxy_set_header    X-Real-IP           $remote_addr;
	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
	        proxy_set_header    X-Forwarded-Host    $host;
	        proxy_set_header    X-Forwarded-Server  $host;
	        proxy_set_header    X-Forwarded-Port    $server_port;
	        proxy_set_header    X-Forwarded-Proto   $scheme;
	}

}
server {
	listen                  127.0.0.1:443 ssl http2;

	server_name		keycloak-internal.two.secure.squirrelcube.xyz;

	ssl_certificate 	/etc/ssl/syscid/orpheus.psyched.dev.crt;
	ssl_certificate_key	/etc/ssl/syscid/orpheus.psyched.dev.key;

	return			302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;

	location		/ {
		proxy_pass	    https://10.0.0.10;
		proxy_set_header    Host                $host;
	        proxy_set_header    X-Real-IP           $remote_addr;
	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
	        proxy_set_header    X-Forwarded-Host    $host;
	        proxy_set_header    X-Forwarded-Server  $host;
	        proxy_set_header    X-Forwarded-Port    $server_port;
	        proxy_set_header    X-Forwarded-Proto   $scheme;
	}
}

#########################################
## SECTION 2                           ##
## Everything below here is PRODUCTION ##
#########################################

##
## WildFly Management UI access through Teleport
##
server {
	listen			127.0.0.1:443 ssl http2;
	server_name		wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
	ssl_certificate		/etc/ssl/tp/fullchain.pem;
	ssl_certificate_key	/etc/ssl/tp/private/privkey.pem;
	location		/ {
		proxy_pass	http://127.0.0.5:9990;

## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.

#		proxy_set_header    Host                $host;
#	        proxy_set_header    X-Real-IP           $remote_addr;
#	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
#	        proxy_set_header    X-Forwarded-Host    $host;
#	        proxy_set_header    X-Forwarded-Server  $host;
#	        proxy_set_header    X-Forwarded-Port    $server_port;
#	        proxy_set_header    X-Forwarded-Proto   $scheme;
#		proxy_set_header    Authorization       $http_authorization;
#		proxy_pass_header   Authorization;
    proxy_set_header Host $host:10090;
    proxy_set_header Origin http://$host:10090;

    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass_request_headers on;
	}
}

##
## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
##
#server {
#	listen                  127.0.0.1:443 ssl http2;
#	listen			192.168.0.115:443 ssl http2;
#
#	server_name		intra.sso.casa;
#	ssl_certificate		/etc/ssl/libertacasa.net/fullchain.pem;
#	ssl_certificate_key	/etc/ssl/libertacasa.net/private/privkey.pem;
#
#	location		/ {
#		proxy_pass	    https://192.168.0.115:8843/;
#		proxy_ssl_verify    off;
#		proxy_set_header    Host                $host;
#	        proxy_set_header    X-Real-IP           $remote_addr;
#	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
#	        #proxy_set_header    X-Forwarded-Host    $host;
#	        #proxy_set_header    X-Forwarded-Server  $host;
#	        #proxy_set_header    X-Forwarded-Port    $server_port;
#	        proxy_set_header    X-Forwarded-Proto   https;
#	}
#	  proxy_buffer_size   128k;
#	    proxy_buffers   4 256k;
#	      proxy_busy_buffers_size   256k;
#}

##
## Standalone Keycloak Frontend on Orpheus
##

#server {
#	listen                  202.61.255.116:443 ssl http2;
#	listen                  [2a03:4000:55:d20::]:443 ssl http2;
#
#	server_name		sso.casa;
#
#	ssl_certificate		/etc/ssl/libertacasa.net/fullchain.pem;
#	ssl_certificate_key	/etc/ssl/libertacasa.net/private/privkey.pem;
#
#	location		/ {
#		proxy_pass	    https://192.168.0.115:8843/;
#		proxy_ssl_verify    off;
#		proxy_set_header    Host                $host;
#	        proxy_set_header    X-Real-IP           $remote_addr;
#	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
#	        #proxy_set_header    X-Forwarded-Host    $host;
#	        #proxy_set_header    X-Forwarded-Server  $host;
#	        #proxy_set_header    X-Forwarded-Port    $server_port;
#	        proxy_set_header    X-Forwarded-Proto   https;
#	}
#	  proxy_buffer_size   128k;
#	    proxy_buffers   4 256k;
#	      proxy_busy_buffers_size   256k;
#
##	location		~ /auth/admin {
##		deny		all;
##		return		403;
##	}
#
#}

##
## Keycloak Frontend Load Balancer
##
proxy_cache_path	/tmp/NGINX_cache/ keys_zone=backcache:10m;

upstream jboss {
		ip_hash;
		server 192.168.0.110:8843;
		server 192.168.0.115:8843;
		server 192.168.0.120:8843;

	# only available in NGINX Plus - very sad!!
	#	sticky learn
	#		create=$upstream_cookie_AUTH_SESSION_ID
	#		lookup=$cookie_AUTH_SESSION_ID
	#		zone=client_sessions:1m;
}

# same ordeal
#match	jboss_check {
#		status 200;
#		header Content-Type = text/html;
#		body ~ "WildFly is running";
#}

server	{
		listen                  202.61.255.116:443 ssl http2;
		listen                  [2a03:4000:55:d20::]:443 ssl http2;
		listen			127.0.0.1:443 ssl http2;
		server_name		sso.casa;

		ssl_certificate		/etc/ssl/libertacasa.net/fullchain.pem;
		ssl_certificate_key	/etc/ssl/libertacasa.net/private/privkey.pem;
		ssl_session_cache		shared:SSL:1m;
		ssl_prefer_server_ciphers	on;

		#location		= / {
		#			return 302 /auth/;
		#}

		location		/ {
			proxy_pass	https://jboss;
			proxy_cache	backcache;
			proxy_ssl_verify    off;
			proxy_set_header    Host                $host;
		        proxy_set_header    X-Real-IP           $remote_addr;
		        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
		        proxy_set_header    X-Forwarded-Proto   https;

			# yup, nginx plus
			#health_check	match=jboss_check;
		}
		proxy_buffer_size   	256k;
		proxy_buffers   	4 512k;
		proxy_busy_buffers_size 512k;

}
Initial nginx run 02/05 Signed-off-by: Georg <georg@lysergic.dev> 2021-08-30 20:51:39 +02:00			`#########################################`
			`## SECTION 1 ##`
			`## DEVELOPMENT / STAGING CONFIGURATION ##`
			`#########################################`

			`server {`
			`listen 202.61.255.116:443 ssl http2;`
			`listen [2a03:4000:55:d20::]:443 ssl http2;`

			`server_name auth.syscid.com sso.syscid.com;`

			`ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;`
			`ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;`

			`# location /auth {`
			`# return 302 https://auth.syscid.com/auth/realms/master/account/;`
			`# }`
			`# location /auth/realms/master/account/ {`
			`# proxy_pass https://10.0.0.10;`
			`# proxy_set_header Host $host;`
			`# proxy_set_header X-Real-IP $remote_addr;`
			`# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# proxy_set_header X-Forwarded-Host $host;`
			`# proxy_set_header X-Forwarded-Server $host;`
			`# proxy_set_header X-Forwarded-Port $server_port;`
			`# proxy_set_header X-Forwarded-Proto $scheme;`
			`# }`
			`location / {`
			`proxy_pass https://10.0.0.10;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Host $host;`
			`proxy_set_header X-Forwarded-Server $host;`
			`proxy_set_header X-Forwarded-Port $server_port;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`}`

			`}`
			`server {`
			`listen 127.0.0.1:443 ssl http2;`

			`server_name keycloak-internal.two.secure.squirrelcube.xyz;`

			`ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;`
			`ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;`

			`return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;`

			`location / {`
			`proxy_pass https://10.0.0.10;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Host $host;`
			`proxy_set_header X-Forwarded-Server $host;`
			`proxy_set_header X-Forwarded-Port $server_port;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`}`
			`}`

			`#########################################`
			`## SECTION 2 ##`
			`## Everything below here is PRODUCTION ##`
			`#########################################`

			`##`
			`## WildFly Management UI access through Teleport`
			`##`
			`server {`
			`listen 127.0.0.1:443 ssl http2;`
			`server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;`
			`ssl_certificate /etc/ssl/tp/fullchain.pem;`
			`ssl_certificate_key /etc/ssl/tp/private/privkey.pem;`
			`location / {`
			`proxy_pass http://127.0.0.5:9990;`

			`## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.`

			`# proxy_set_header Host $host;`
			`# proxy_set_header X-Real-IP $remote_addr;`
			`# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# proxy_set_header X-Forwarded-Host $host;`
			`# proxy_set_header X-Forwarded-Server $host;`
			`# proxy_set_header X-Forwarded-Port $server_port;`
			`# proxy_set_header X-Forwarded-Proto $scheme;`
			`# proxy_set_header Authorization $http_authorization;`
			`# proxy_pass_header Authorization;`
			`proxy_set_header Host $host:10090;`
			`proxy_set_header Origin http://$host:10090;`

			`proxy_redirect off;`
			`proxy_http_version 1.1;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_pass_request_headers on;`
			`}`
			`}`

			`##`
			`## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy`
			`##`
			`#server {`
			`# listen 127.0.0.1:443 ssl http2;`
			`# listen 192.168.0.115:443 ssl http2;`
			`#`
			`# server_name intra.sso.casa;`
			`# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;`
			`# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;`
			`#`
			`# location / {`
			`# proxy_pass https://192.168.0.115:8843/;`
			`# proxy_ssl_verify off;`
			`# proxy_set_header Host $host;`
			`# proxy_set_header X-Real-IP $remote_addr;`
			`# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# #proxy_set_header X-Forwarded-Host $host;`
			`# #proxy_set_header X-Forwarded-Server $host;`
			`# #proxy_set_header X-Forwarded-Port $server_port;`
			`# proxy_set_header X-Forwarded-Proto https;`
			`# }`
			`# proxy_buffer_size 128k;`
			`# proxy_buffers 4 256k;`
			`# proxy_busy_buffers_size 256k;`
			`#}`

			`##`
			`## Standalone Keycloak Frontend on Orpheus`
			`##`

			`#server {`
			`# listen 202.61.255.116:443 ssl http2;`
			`# listen [2a03:4000:55:d20::]:443 ssl http2;`
			`#`
			`# server_name sso.casa;`
			`#`
			`# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;`
			`# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;`
			`#`
			`# location / {`
			`# proxy_pass https://192.168.0.115:8843/;`
			`# proxy_ssl_verify off;`
			`# proxy_set_header Host $host;`
			`# proxy_set_header X-Real-IP $remote_addr;`
			`# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# #proxy_set_header X-Forwarded-Host $host;`
			`# #proxy_set_header X-Forwarded-Server $host;`
			`# #proxy_set_header X-Forwarded-Port $server_port;`
			`# proxy_set_header X-Forwarded-Proto https;`
			`# }`
			`# proxy_buffer_size 128k;`
			`# proxy_buffers 4 256k;`
			`# proxy_busy_buffers_size 256k;`
			`#`
			`## location ~ /auth/admin {`
			`## deny all;`
			`## return 403;`
			`## }`
			`#`
			`#}`

			`##`
			`## Keycloak Frontend Load Balancer`
			`##`
			`proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;`

			`upstream jboss {`
			`ip_hash;`
			`server 192.168.0.110:8843;`
			`server 192.168.0.115:8843;`
			`server 192.168.0.120:8843;`

			`# only available in NGINX Plus - very sad!!`
			`# sticky learn`
			`# create=$upstream_cookie_AUTH_SESSION_ID`
			`# lookup=$cookie_AUTH_SESSION_ID`
			`# zone=client_sessions:1m;`
			`}`

			`# same ordeal`
			`#match jboss_check {`
			`# status 200;`
			`# header Content-Type = text/html;`
			`# body ~ "WildFly is running";`
			`#}`

			`server {`
			`listen 202.61.255.116:443 ssl http2;`
			`listen [2a03:4000:55:d20::]:443 ssl http2;`
			`listen 127.0.0.1:443 ssl http2;`
			`server_name sso.casa;`

			`ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;`
			`ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;`
			`ssl_session_cache shared:SSL:1m;`
			`ssl_prefer_server_ciphers on;`

			`#location = / {`
			`# return 302 /auth/;`
			`#}`

			`location / {`
			`proxy_pass https://jboss;`
			`proxy_cache backcache;`
			`proxy_ssl_verify off;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`

			`# yup, nginx plus`
			`#health_check match=jboss_check;`
			`}`
			`proxy_buffer_size 256k;`
			`proxy_buffers 4 512k;`
			`proxy_busy_buffers_size 512k;`

			`}`