Changes

Roland Alton · bd6450cc
--- a/NGINXproxy.md
+++ b/NGINXproxy.md
@@ -4,24 +4,105 @@
 ## keycloak reverse proxy

 # Upstream reverse proxy port
-upstream keycloak {
-    server heu16:8080;
+upstream keycloak1 {
+    server heu20:8090;
 }

-# HTTPS Server
+# was old keycloak:
+# upstream keycloak2 {
+#    server heu16:8081;
+# }
+
+# geoip 
+
+geoip_country /usr/share/GeoIP/GeoIP.dat;
+map $geoip_country_code $allowed_country {
+    default no;
+# Europe
+# comment out for testing
+    AD yes;
+    AL yes;
+#    AT yes;
+    AX yes;
+    BA yes;
+    BE yes;
+    BG yes;
+    BY yes;
+    CH yes;
+    CY yes;
+    CZ yes;
+    DE yes;
+    DK yes;
+    EE yes;
+    ES yes;
+    FI yes;
+    FO yes;
+    FR yes;
+    GB yes;
+    GG yes;
+    GI yes;
+    GR yes;
+    HR yes;
+    HU yes;
+    IE yes;
+    IM yes;
+    IS yes;
+    IT yes;
+    JE yes;
+    LI yes;
+    LT yes;
+    LU yes;
+    LV yes;
+    MC yes;
+    MD yes;
+    ME yes;
+    MK yes;
+    MT yes;
+    NL yes;
+    NO yes;
+    PL yes;
+    PT yes;
+    RO yes;
+    RS yes;
+#   RU yes;
+    SE yes;
+    SI yes;
+    SJ yes;
+    SK yes;
+    SM yes;
+    UA yes;
+    VA yes;
+    XK yes;
+# additional non-Europe exceptions
+    US yes;
+    UK yes;
+    HK yes;
+}
+
+# HTTPS Server keycloak1
 server {
-    listen 4438;
+    listen 4438 ssl;
    server_name id.fairkom.net;

    error_log /var/log/nginx/keycloak.access.log;

-    ssl on;
-    ssl_certificate /etc/letsencrypt/live/chat.fairkom.net-0001/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/chat.fairkom.net-0001/privkey.pem;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
+#    ssl on;
+    ssl_certificate /etc/letsencrypt/live/id.fairkom.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/id.fairkom.net/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    location /bantest {
+#    location /auth/realms/fairlogin/login-actions/registration {
+       if ($allowed_country = no) {
+          return 302 https://git.fairkom.net/fairlogin/fairkom/-/wikis/FAQ-EN#registrations-from-outside-europe;
+       }
+    }

    location / {
-        proxy_pass http://keycloak;
+        proxy_pass http://keycloak1;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
@@ -31,9 +112,10 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
 #       proxy_set_header X-Nginx-Proxy true;

-#        proxy_redirect off;
+        proxy_redirect off;
    }
 }
+
 ```