modified: serv_nginx/keycloak/keycloak.conf

modified: serv_nginx/nginx/nginx-ssl.conf change configs for keycloak to auth only domen path and change nginx configs for this
2025-10-21 05:58:27 +05:00
parent 72e7d8b5f2
commit 74382de88d
2 changed files with 39 additions and 10 deletions
@@ -13,14 +13,14 @@ admin-password=${KEYCLOAK_ADMIN_PASSWORD}
 # HTTP configuration
 http-enabled=true
 http-port=8080
-http-relative-path=/
+http-relative-path=/auth

 # Hostname configuration
-hostname=https://yalarba.ru
-hostname-strict=false
-hostname-strict-https=false
+hostname-url=https://yalarba.ru/auth
+hostname-strict=true
+hostname-strict-https=true
 hostname-strict-backchannel=false
-hostname-path=/
+hostname-path=/auth

 # Proxy configuration
 proxy=x_forwarded
@@ -38,5 +38,5 @@ health-enabled=true
 # Features
 features=token-exchange,admin-fine-grained-authz

-# Logging (для отладки)
+# Logging
 log-level=INFO
@@ -64,18 +64,43 @@ server {
        proxy_read_timeout 600;
    }

-    # Keycloak integration
+    # Keycloak configuration - все запросы к /auth проксируем к Keycloak
    location /auth/ {
-        proxy_pass http://keycloak_backend/;
+        proxy_pass http://keycloak:8080/auth/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Prefix /auth;
+
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+
+        # Buffer settings
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
+
+        # Disable buffering for admin console
+        proxy_buffering off;
    }

-    # Для админки
-    location /admin {
+    # Редирект корневого пути на /auth если нужно
+    location = / {
+        return 302 /auth/;
+    }
+
+    # Static assets with longer cache
+    location ~* /auth/.*\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        proxy_pass http://keycloak:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -83,6 +108,10 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
+
+        # Cache static assets
+        expires 1y;
+        add_header Cache-Control "public, immutable";
    }

 }