... | ... | @@ -4,24 +4,105 @@ |
|
|
## keycloak reverse proxy
|
|
|
|
|
|
# Upstream reverse proxy port
|
|
|
upstream keycloak {
|
|
|
server heu16:8080;
|
|
|
upstream keycloak1 {
|
|
|
server heu20:8090;
|
|
|
}
|
|
|
|
|
|
# HTTPS Server
|
|
|
# was old keycloak:
|
|
|
# upstream keycloak2 {
|
|
|
# server heu16:8081;
|
|
|
# }
|
|
|
|
|
|
# geoip
|
|
|
|
|
|
geoip_country /usr/share/GeoIP/GeoIP.dat;
|
|
|
map $geoip_country_code $allowed_country {
|
|
|
default no;
|
|
|
# Europe
|
|
|
# comment out for testing
|
|
|
AD yes;
|
|
|
AL yes;
|
|
|
# AT yes;
|
|
|
AX yes;
|
|
|
BA yes;
|
|
|
BE yes;
|
|
|
BG yes;
|
|
|
BY yes;
|
|
|
CH yes;
|
|
|
CY yes;
|
|
|
CZ yes;
|
|
|
DE yes;
|
|
|
DK yes;
|
|
|
EE yes;
|
|
|
ES yes;
|
|
|
FI yes;
|
|
|
FO yes;
|
|
|
FR yes;
|
|
|
GB yes;
|
|
|
GG yes;
|
|
|
GI yes;
|
|
|
GR yes;
|
|
|
HR yes;
|
|
|
HU yes;
|
|
|
IE yes;
|
|
|
IM yes;
|
|
|
IS yes;
|
|
|
IT yes;
|
|
|
JE yes;
|
|
|
LI yes;
|
|
|
LT yes;
|
|
|
LU yes;
|
|
|
LV yes;
|
|
|
MC yes;
|
|
|
MD yes;
|
|
|
ME yes;
|
|
|
MK yes;
|
|
|
MT yes;
|
|
|
NL yes;
|
|
|
NO yes;
|
|
|
PL yes;
|
|
|
PT yes;
|
|
|
RO yes;
|
|
|
RS yes;
|
|
|
# RU yes;
|
|
|
SE yes;
|
|
|
SI yes;
|
|
|
SJ yes;
|
|
|
SK yes;
|
|
|
SM yes;
|
|
|
UA yes;
|
|
|
VA yes;
|
|
|
XK yes;
|
|
|
# additional non-Europe exceptions
|
|
|
US yes;
|
|
|
UK yes;
|
|
|
HK yes;
|
|
|
}
|
|
|
|
|
|
# HTTPS Server keycloak1
|
|
|
server {
|
|
|
listen 4438;
|
|
|
listen 4438 ssl;
|
|
|
server_name id.fairkom.net;
|
|
|
|
|
|
error_log /var/log/nginx/keycloak.access.log;
|
|
|
|
|
|
ssl on;
|
|
|
ssl_certificate /etc/letsencrypt/live/chat.fairkom.net-0001/fullchain.pem;
|
|
|
ssl_certificate_key /etc/letsencrypt/live/chat.fairkom.net-0001/privkey.pem;
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
|
|
# ssl on;
|
|
|
ssl_certificate /etc/letsencrypt/live/id.fairkom.net/fullchain.pem;
|
|
|
ssl_certificate_key /etc/letsencrypt/live/id.fairkom.net/privkey.pem;
|
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
|
|
location /bantest {
|
|
|
# location /auth/realms/fairlogin/login-actions/registration {
|
|
|
if ($allowed_country = no) {
|
|
|
return 302 https://git.fairkom.net/fairlogin/fairkom/-/wikis/FAQ-EN#registrations-from-outside-europe;
|
|
|
}
|
|
|
}
|
|
|
|
|
|
location / {
|
|
|
proxy_pass http://keycloak;
|
|
|
proxy_pass http://keycloak1;
|
|
|
proxy_http_version 1.1;
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
proxy_set_header Connection "upgrade";
|
... | ... | @@ -31,9 +112,10 @@ server { |
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
# proxy_set_header X-Nginx-Proxy true;
|
|
|
|
|
|
# proxy_redirect off;
|
|
|
proxy_redirect off;
|
|
|
}
|
|
|
}
|
|
|
|
|
|
```
|
|
|
|
|
|
|
... | ... | |