system/nginx/02/keycloak.conf
Georg aea3a1cc60
Initial nginx run 02/05
Signed-off-by: Georg <georg@lysergic.dev>
2021-08-30 20:51:39 +02:00

220 lines
7.2 KiB
Plaintext

#########################################
## SECTION 1 ##
## DEVELOPMENT / STAGING CONFIGURATION ##
#########################################
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name auth.syscid.com sso.syscid.com;
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
# location /auth {
# return 302 https://auth.syscid.com/auth/realms/master/account/;
# }
# location /auth/realms/master/account/ {
# proxy_pass https://10.0.0.10;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
# proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
location / {
proxy_pass https://10.0.0.10;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 127.0.0.1:443 ssl http2;
server_name keycloak-internal.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;
location / {
proxy_pass https://10.0.0.10;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
#########################################
## SECTION 2 ##
## Everything below here is PRODUCTION ##
#########################################
##
## WildFly Management UI access through Teleport
##
server {
listen 127.0.0.1:443 ssl http2;
server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.5:9990;
## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
# proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Authorization $http_authorization;
# proxy_pass_header Authorization;
proxy_set_header Host $host:10090;
proxy_set_header Origin http://$host:10090;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
##
## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
##
#server {
# listen 127.0.0.1:443 ssl http2;
# listen 192.168.0.115:443 ssl http2;
#
# server_name intra.sso.casa;
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
#
# location / {
# proxy_pass https://192.168.0.115:8843/;
# proxy_ssl_verify off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# #proxy_set_header X-Forwarded-Host $host;
# #proxy_set_header X-Forwarded-Server $host;
# #proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto https;
# }
# proxy_buffer_size 128k;
# proxy_buffers 4 256k;
# proxy_busy_buffers_size 256k;
#}
##
## Standalone Keycloak Frontend on Orpheus
##
#server {
# listen 202.61.255.116:443 ssl http2;
# listen [2a03:4000:55:d20::]:443 ssl http2;
#
# server_name sso.casa;
#
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
#
# location / {
# proxy_pass https://192.168.0.115:8843/;
# proxy_ssl_verify off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# #proxy_set_header X-Forwarded-Host $host;
# #proxy_set_header X-Forwarded-Server $host;
# #proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto https;
# }
# proxy_buffer_size 128k;
# proxy_buffers 4 256k;
# proxy_busy_buffers_size 256k;
#
## location ~ /auth/admin {
## deny all;
## return 403;
## }
#
#}
##
## Keycloak Frontend Load Balancer
##
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
upstream jboss {
ip_hash;
server 192.168.0.110:8843;
server 192.168.0.115:8843;
server 192.168.0.120:8843;
# only available in NGINX Plus - very sad!!
# sticky learn
# create=$upstream_cookie_AUTH_SESSION_ID
# lookup=$cookie_AUTH_SESSION_ID
# zone=client_sessions:1m;
}
# same ordeal
#match jboss_check {
# status 200;
# header Content-Type = text/html;
# body ~ "WildFly is running";
#}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
listen 127.0.0.1:443 ssl http2;
server_name sso.casa;
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
#location = / {
# return 302 /auth/;
#}
location / {
proxy_pass https://jboss;
proxy_cache backcache;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# yup, nginx plus
#health_check match=jboss_check;
}
proxy_buffer_size 256k;
proxy_buffers 4 512k;
proxy_busy_buffers_size 512k;
}