From 9d0697f0d009d9b915e8366326657f093484f3ab Mon Sep 17 00:00:00 2001
From: julian <j@jsts.xyz>
Date: Fri, 5 May 2023 00:00:48 +0200
Subject: [PATCH] Use PROXY Protocol for Keycloak

---
 .../configs/keycloak/nginx/id.ccchh.net.conf  | 22 +++++++++----------
 .../public-reverse-proxy/nginx/nginx.conf     |  1 +
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf b/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
index b87ff52..5c4d6d2 100644
--- a/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
+++ b/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
@@ -2,18 +2,16 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
-    # # Listen on a custom port for the proxy protocol.
-    # listen 8443 ssl http2 proxy_protocol;
-    # # Make use of the ngx_http_realip_module to set the $remote_addr and
-    # # $remote_port to the client address and client port, when using proxy
-    # # protocol.
-    # # First set our proxy protocol proxy as trusted.
-    # set_real_ip_from 10.31.206.11;
-    # # Then tell the realip_module to get the addreses from the proxy protocol
-    # # header.
-    # real_ip_header proxy_protocol;
-    # Temporarily internal-only.
-    listen 443 ssl http2;
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 10.31.206.11;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
 
     server_name id.ccchh.net;
 
diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf b/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf
index 82b3dec..70336c6 100644
--- a/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf
+++ b/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf
@@ -17,6 +17,7 @@ events {
 stream {
     map $ssl_preread_server_name $address {
         wiki.ccchh.net 10.31.206.13:8443;
+        id.ccchh.net 10.31.206.12:8443;
         default 127.0.0.1:8443;
     }