ANALYTIKDATA
/
automated-office


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131
							upstream keycloak_upstream {
    server 172.18.0.3:8080;
}

server {
    listen 80;
    server_name auth.mrx8086.com;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name auth.mrx8086.com;

    # SSL Configuration
    ssl_certificate /etc/nginx/ssl/mrx8086.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/mrx8086.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # Security headers
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Frame-Options SAMEORIGIN always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Content Security Policy
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; frame-src 'self'; frame-ancestors 'self'; connect-src 'self'" always;

    # Proxy settings - Added X-Forwarded headers here to apply to all proxied locations
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Ssl on; # Optional, but explicit
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header Host $host;
    proxy_http_version 1.1;

    # Cookies sicher machen
    proxy_cookie_flags ~ secure samesite=lax;
    
    # Specific location for the token endpoint
    location ~ ^/auth/realms/[^/]+/protocol/openid-connect/token$ {
        proxy_pass http://keycloak_upstream;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        # WebSocket support (likely not needed for token endpoint, but keeping for consistency)
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # Keycloak required paths
    location ~ ^/realms/ {
       proxy_pass http://keycloak_upstream;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        # WebSocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }


    location /resources/ {
        proxy_pass http://keycloak_upstream;

        # Cache settings for static resources
        proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
        proxy_cache_valid 200 1d;
        expires 1d;
        add_header Cache-Control "public" always;
    }

    location /robots.txt {
        proxy_pass http://keycloak_upstream;
    }

    # Block sensitive paths
    location /admin/ {
        allow 172.23.160.0/20;
        deny all;
        proxy_pass http://keycloak_upstream;  # Forward to upstream Keycloak server
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /metrics {
        deny all;
        return 403;
    }

    location /health {
        deny all;
        return 403;
    }

    # Error pages
    error_page 403 /403.html;
    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;

    # Deny access to hidden files
    location ~ /\. {
        deny all;
        return 404;
    }

    # Root location for the main application - this needs to be last
    location / {
        proxy_pass http://keycloak_upstream;
    }
}