upstream keycloak_upstream { server 172.18.0.3:8080; } server { listen 80; server_name auth.mrx8086.com; # Redirect HTTP to HTTPS return 301 https://$host$request_uri; } server { listen 443 ssl; server_name auth.mrx8086.com; # SSL Configuration ssl_certificate /etc/nginx/ssl/mrx8086.com/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/mrx8086.com/privkey.pem; ssl_session_timeout 1d; ssl_session_tickets off; # Modern SSL configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # Security headers add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options SAMEORIGIN always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # Content Security Policy add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; frame-src 'self'; frame-ancestors 'self'; connect-src 'self'" always; # Proxy settings - Added X-Forwarded headers here to apply to all proxied locations proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Ssl on; # Optional, but explicit proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Host $host; proxy_set_header Host $host; proxy_http_version 1.1; # Cookies sicher machen proxy_cookie_flags ~ secure samesite=lax; # Specific location for the token endpoint location ~ ^/auth/realms/[^/]+/protocol/openid-connect/token$ { proxy_pass http://keycloak_upstream; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; # WebSocket support (likely not needed for token endpoint, but keeping for consistency) proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # Keycloak required paths location ~ ^/realms/ { proxy_pass http://keycloak_upstream; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } location /resources/ { proxy_pass http://keycloak_upstream; # Cache settings for static resources proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; proxy_cache_valid 200 1d; expires 1d; add_header Cache-Control "public" always; } location /robots.txt { proxy_pass http://keycloak_upstream; } # Block sensitive paths location /admin/ { allow 172.23.160.0/20; deny all; proxy_pass http://keycloak_upstream; # Forward to upstream Keycloak server proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /metrics { deny all; return 403; } location /health { deny all; return 403; } # Error pages error_page 403 /403.html; error_page 404 /404.html; error_page 500 502 503 504 /50x.html; # Deny access to hidden files location ~ /\. { deny all; return 404; } # Root location for the main application - this needs to be last location / { proxy_pass http://keycloak_upstream; } }