system/nginx/02/keycloak.conf

#########################################
## SECTION 1                           ##
## DEVELOPMENT / STAGING CONFIGURATION ##
#########################################

server {
	listen                  202.61.255.116:443 ssl http2;
	listen                  [2a03:4000:55:d20::]:443 ssl http2;

	server_name		auth.syscid.com sso.syscid.com;

	ssl_certificate 	/etc/ssl/syscid/orpheus.psyched.dev.crt;
	ssl_certificate_key	/etc/ssl/syscid/orpheus.psyched.dev.key;

#	location		/auth {
#		return		302 https://auth.syscid.com/auth/realms/master/account/;
#	}
#	location		/auth/realms/master/account/ {
#		proxy_pass	    https://10.0.0.10;
#		proxy_set_header    Host                $host;
#	        proxy_set_header    X-Real-IP           $remote_addr;
#	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
#	        proxy_set_header    X-Forwarded-Host    $host;
#	        proxy_set_header    X-Forwarded-Server  $host;
#	        proxy_set_header    X-Forwarded-Port    $server_port;
#	        proxy_set_header    X-Forwarded-Proto   $scheme;
#	}
	location		/ {
		proxy_pass	    https://10.0.0.10;
		proxy_set_header    Host                $host;
	        proxy_set_header    X-Real-IP           $remote_addr;
	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
	        proxy_set_header    X-Forwarded-Host    $host;
	        proxy_set_header    X-Forwarded-Server  $host;
	        proxy_set_header    X-Forwarded-Port    $server_port;
	        proxy_set_header    X-Forwarded-Proto   $scheme;
	}

}
server {
	listen                  127.0.0.1:443 ssl http2;

	server_name		keycloak-internal.two.secure.squirrelcube.xyz;

	ssl_certificate 	/etc/ssl/syscid/orpheus.psyched.dev.crt;
	ssl_certificate_key	/etc/ssl/syscid/orpheus.psyched.dev.key;

	return			302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;

	location		/ {
		proxy_pass	    https://10.0.0.10;
		proxy_set_header    Host                $host;
	        proxy_set_header    X-Real-IP           $remote_addr;
	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
	        proxy_set_header    X-Forwarded-Host    $host;
	        proxy_set_header    X-Forwarded-Server  $host;
	        proxy_set_header    X-Forwarded-Port    $server_port;
	        proxy_set_header    X-Forwarded-Proto   $scheme;
	}
}

#########################################
## SECTION 2                           ##
## Everything below here is PRODUCTION ##
#########################################

##
## WildFly Management UI access through Teleport
##
server {
	listen			127.0.0.1:443 ssl http2;
	server_name		wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
	ssl_certificate		/etc/ssl/tp/fullchain.pem;
	ssl_certificate_key	/etc/ssl/tp/private/privkey.pem;
	location		/ {
		proxy_pass	http://127.0.0.5:9990;

## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.

#		proxy_set_header    Host                $host;
#	        proxy_set_header    X-Real-IP           $remote_addr;
#	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
#	        proxy_set_header    X-Forwarded-Host    $host;
#	        proxy_set_header    X-Forwarded-Server  $host;
#	        proxy_set_header    X-Forwarded-Port    $server_port;
#	        proxy_set_header    X-Forwarded-Proto   $scheme;
#		proxy_set_header    Authorization       $http_authorization;
#		proxy_pass_header   Authorization;
    proxy_set_header Host $host:10090;
    proxy_set_header Origin http://$host:10090;

    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass_request_headers on;
	}
}

##
## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
##
#server {
#	listen                  127.0.0.1:443 ssl http2;
#	listen			192.168.0.115:443 ssl http2;
#
#	server_name		intra.sso.casa;
#	ssl_certificate		/etc/ssl/libertacasa.net/fullchain.pem;
#	ssl_certificate_key	/etc/ssl/libertacasa.net/private/privkey.pem;
#
#	location		/ {
#		proxy_pass	    https://192.168.0.115:8843/;
#		proxy_ssl_verify    off;
#		proxy_set_header    Host                $host;
#	        proxy_set_header    X-Real-IP           $remote_addr;
#	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
#	        #proxy_set_header    X-Forwarded-Host    $host;
#	        #proxy_set_header    X-Forwarded-Server  $host;
#	        #proxy_set_header    X-Forwarded-Port    $server_port;
#	        proxy_set_header    X-Forwarded-Proto   https;
#	}
#	  proxy_buffer_size   128k;
#	    proxy_buffers   4 256k;
#	      proxy_busy_buffers_size   256k;
#}

##
## Standalone Keycloak Frontend on Orpheus
##

#server {
#	listen                  202.61.255.116:443 ssl http2;
#	listen                  [2a03:4000:55:d20::]:443 ssl http2;
#
#	server_name		sso.casa;
#
#	ssl_certificate		/etc/ssl/libertacasa.net/fullchain.pem;
#	ssl_certificate_key	/etc/ssl/libertacasa.net/private/privkey.pem;
#
#	location		/ {
#		proxy_pass	    https://192.168.0.115:8843/;
#		proxy_ssl_verify    off;
#		proxy_set_header    Host                $host;
#	        proxy_set_header    X-Real-IP           $remote_addr;
#	        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
#	        #proxy_set_header    X-Forwarded-Host    $host;
#	        #proxy_set_header    X-Forwarded-Server  $host;
#	        #proxy_set_header    X-Forwarded-Port    $server_port;
#	        proxy_set_header    X-Forwarded-Proto   https;
#	}
#	  proxy_buffer_size   128k;
#	    proxy_buffers   4 256k;
#	      proxy_busy_buffers_size   256k;
#
##	location		~ /auth/admin {
##		deny		all;
##		return		403;
##	}
#
#}

##
## Keycloak Frontend Load Balancer
##
proxy_cache_path	/tmp/NGINX_cache/ keys_zone=backcache:10m;

upstream jboss {
		ip_hash;
		server 192.168.0.110:8843;
		server 192.168.0.115:8843;
		server 192.168.0.120:8843;

	# only available in NGINX Plus - very sad!!
	#	sticky learn
	#		create=$upstream_cookie_AUTH_SESSION_ID
	#		lookup=$cookie_AUTH_SESSION_ID
	#		zone=client_sessions:1m;
}

# same ordeal
#match	jboss_check {
#		status 200;
#		header Content-Type = text/html;
#		body ~ "WildFly is running";
#}

server	{
		listen                  202.61.255.116:443 ssl http2;
		listen                  [2a03:4000:55:d20::]:443 ssl http2;
		listen			127.0.0.1:443 ssl http2;
		server_name		sso.casa;

		ssl_certificate		/etc/ssl/libertacasa.net/fullchain.pem;
		ssl_certificate_key	/etc/ssl/libertacasa.net/private/privkey.pem;
		ssl_session_cache		shared:SSL:1m;
		ssl_prefer_server_ciphers	on;

		#location		= / {
		#			return 302 /auth/;
		#}

		location		/ {
			proxy_pass	https://jboss;
			proxy_cache	backcache;
			proxy_ssl_verify    off;
			proxy_set_header    Host                $host;
		        proxy_set_header    X-Real-IP           $remote_addr;
		        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
		        proxy_set_header    X-Forwarded-Proto   https;

			# yup, nginx plus
			#health_check	match=jboss_check;
		}
		proxy_buffer_size   	256k;
		proxy_buffers   	4 512k;
		proxy_busy_buffers_size 512k;

}