modified: serv_nginx/docker-compose.yml

new file:   serv_nginx/keycloak/.env.keycloak
	new file:   serv_nginx/keycloak/realm-config/setup-realm.json
	modified:   serv_nginx/nginx/nginx-ssl.conf
revert to ald setting into nginx

serv_nginx/docker-compose.yml

@@ -164,6 +164,7 @@ services:
       dockerfile: Dockerfile
     container_name: keycloak
     restart: unless-stopped
+    env_file: ./keycloak/.env.keycloak
     environment:
       # Database configuration
       KC_DB: postgres
@@ -211,6 +212,7 @@ services:
     image: postgres:15-alpine
     container_name: keycloak-db
     restart: unless-stopped
+    env_file: ./keycloak/.env.keycloak
     environment:
       POSTGRES_DB: keycloak
       POSTGRES_USER: keycloak

serv_nginx/keycloak/.env.keycloak

@@ -0,0 +1,22 @@
+# Keycloak
+KEYCLOAK_VERSION=24.0.4
+KEYCLOAK_USER=admin
+KEYCLOAK_PASSWORD=admin123
+KEYCLOAK_DB_USER=keycloak
+KEYCLOAK_DB_PASSWORD=keycloak123
+KEYCLOAK_DB_NAME=keycloak
+
+# Database
+POSTGRES_VERSION=15
+POSTGRES_DB=keycloak
+POSTGRES_USER=keycloak
+POSTGRES_PASSWORD=keycloak123
+
+# Domains
+KEYCLOAK_FRONTEND_URL=https://auth.yalarba.ru
+DOMAIN_YALARBA=yalarba.ru
+DOMAIN_BEGUSHIYBASHKIR=begushiybashkir.ru
+
+# Internal
+KEYCLOAK_HTTP_PORT=8080
+KEYCLOAK_INTERNAL_PORT=8080

serv_nginx/keycloak/realm-config/setup-realm.json

@@ -0,0 +1,112 @@
+{
+  "id": "master",
+  "realm": "master",
+  "displayName": "Yalarba & Begushiybashkir",
+  "displayNameHtml": "<div class=\"kc-logo-text\"><span>Yalarba Auth</span></div>",
+  "enabled": true,
+  "sslRequired": "external",
+  "registrationAllowed": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": true,
+  "editUsernameAllowed": false,
+  "bruteForceProtected": true,
+  "permanentLockout": false,
+  "maxFailureWaitSeconds": 900,
+  "minimumQuickLoginWaitSeconds": 60,
+  "waitIncrementSeconds": 60,
+  "quickLoginCheckMilliSeconds": 1000,
+  "maxDeltaTimeSeconds": 43200,
+  "failureFactor": 5,
+  
+  "clients": [
+    {
+      "clientId": "yalarba-web",
+      "name": "Yalarba.ru Web Application",
+      "description": "Web application for yalarba.ru",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "publicClient": true,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "rootUrl": "https://yalarba.ru",
+      "baseUrl": "https://yalarba.ru",
+      "redirectUris": [
+        "https://yalarba.ru/*",
+        "https://www.yalarba.ru/*"
+      ],
+      "webOrigins": [
+        "https://yalarba.ru",
+        "https://www.yalarba.ru"
+      ],
+      "attributes": {
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.revoke.offline_tokens": "false"
+      }
+    },
+    {
+      "clientId": "begushiybashkir-web",
+      "name": "Begushiybashkir.ru Web Application",
+      "description": "Web application for begushiybashkir.ru",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "publicClient": true,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "rootUrl": "https://begushiybashkir.ru",
+      "baseUrl": "https://begushiybashkir.ru",
+      "redirectUris": [
+        "https://begushiybashkir.ru/*",
+        "https://www.begushiybashkir.ru/*"
+      ],
+      "webOrigins": [
+        "https://begushiybashkir.ru",
+        "https://www.begushiybashkir.ru"
+      ],
+      "attributes": {
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.revoke.offline_tokens": "false"
+      }
+    },
+    {
+      "clientId": "admin-cli",
+      "name": "${client_admin-cli}",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "publicClient": false,
+      "standardFlowEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": true
+    }
+  ],
+  
+  "users": [
+    {
+      "username": "superadmin",
+      "email": "admin@yalarba.ru",
+      "firstName": "Super",
+      "lastName": "Admin",
+      "enabled": true,
+      "emailVerified": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "SuperAdmin123!",
+          "temporary": false
+        }
+      ],
+      "realmRoles": [
+        "admin",
+        "default-role-master"
+      ],
+      "clientRoles": {
+        "realm-management": [
+          "realm-admin"
+        ]
+      }
+    }
+  ]
+}

serv_nginx/nginx/nginx-ssl.conf

@@ -1,16 +1,3 @@
-# Upstreams
-upstream keycloak_backend {
-    server keycloak:8080;
-}
-
-upstream api_backend {
-    server api:8080;
-}
-
-upstream api_bb_backend {
-    server api_bb:8080;
-}
-
 server {
     listen 80;
     server_name yalarba.ru www.yalarba.ru valitovgaziz.ru www.valitovgaziz.ru easysite102.ru www.easysite102.ru begushiybashkir.ru xn--80abahjtcfl5d0a8di.xn--p1ai;
@@ -49,31 +36,6 @@ server {
         index index.html;
         try_files $uri $uri/ /index.html;
     }
-
-    # Keycloak integration - исправленная конфигурация
-    location /auth/ {
-        proxy_pass http://keycloak_backend;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Port $server_port;
-
-        # Убрать trailing slash в proxy_pass
-        proxy_pass http://keycloak_backend;
-
-        # Важные настройки для Keycloak
-        proxy_buffer_size 128k;
-        proxy_buffers 4 256k;
-        proxy_busy_buffers_size 256k;
-
-        # Таймауты
-        proxy_connect_timeout 30s;
-        proxy_send_timeout 30s;
-        proxy_read_timeout 30s;
-    }
-
     # REST API
     location /api/ {
         proxy_pass http://api_backend/;
@@ -141,6 +103,25 @@ server {
         index index.html;
         try_files $uri $uri/ /index.html;
     }
+
+    location /api/ {
+        proxy_pass http://api_bb_backend/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        proxy_read_timeout 600;
+    }
+
+    location /uploads/ {
+        alias /uploads/;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
 }
 
 server {