modified: serv_nginx/.env

modified:   serv_nginx/nginx/Dockerfile
	modified:   serv_nginx/nginx/nginx-ssl.conf
add new config new Dockerfile and nginx conf

serv_nginx/.env

@@ -6,7 +6,8 @@ DOMAINS_valitovgaziz=valitovgaziz.ru,www.valitovgaziz.ru
 DOMAINS_easysite102=easysite102.ru,www.easysite102.ru
 DOMAINS_begushiybashkir=xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai
 DOMAINS_begushiybashkir_latin=begushiybashkir.ru,www.begushiybashkir.ru
-ALL_DOMAINS=yalarba.ru,www.yalarba.ru,valitovgaziz.ru,www.valitovgaziz.ru,easysite102.ru,www.easysite102.ru,begushiybashkir.ru,www.begushiybashkir.ru,xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai,auth.yalarba.ru
+ALL_DOMAINS=yalarba.ru,www.yalarba.ru,valitovgaziz.ru,www.valitovgaziz.ru,easysite102.ru,www.easysite102.ru,begushiybashkir.ru,www.begushiybashkir.ru,xn--80abahjtcfl5d0a8di.xn--p1ai,www.xn--80abahjtcfl5d0a8di.xn--p1ai
+
 # keycloak
-KEYCLOAK_ADMIN_PASSWORD=your_secure_admin_password
+KEYCLOAK_ADMIN_PASSWORD=your_secure_password
 KEYCLOAK_DB_PASSWORD=your_secure_db_password

serv_nginx/nginx/Dockerfile

@@ -1,28 +1,40 @@
-FROM nginx:alpine
+FROM quay.io/keycloak/keycloak:22.0.0 as builder
 
-# Установка зависимостей
+# Enable health and metrics support
-RUN apk add --no-cache bash openssl
+ENV KC_HEALTH_ENABLED=true
+ENV KC_METRICS_ENABLED=true
 
-# Создание директории для сертификатов
+# Configure a database vendor
-RUN mkdir -p /etc/nginx/ssl
+ENV KC_DB=postgres
 
-# Генерация самоподписанных сертификатов (действительны 365 дней)
+WORKDIR /opt/keycloak
-RUN openssl req -x509 -nodes -days 365 \
-    -newkey rsa:2048 \
-    -keyout /etc/nginx/ssl/dummy.key \
-    -out /etc/nginx/ssl/dummy.crt \
-    -subj "/C=US/ST=State/L=City/O=Organization/CN=localhost"
 
-# Копируем обе конфигурации
+# For demonstration purposes, please consider using proper certificates in production instead
-COPY nginx-http.conf /etc/nginx/nginx-http.conf
+RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
-COPY nginx-ssl.conf /etc/nginx/nginx-ssl.conf
 
-# Создаем симлинк по умолчанию на HTTP конфиг
+RUN /opt/keycloak/bin/kc.sh build
-RUN ln -sf /etc/nginx/nginx-http.conf /etc/nginx/conf.d/default.conf
 
-# Скрипт для проверки сертификатов и переключения конфига
+FROM quay.io/keycloak/keycloak:22.0.0
-COPY switch-config.sh /docker-entrypoint.d/switch-config.sh
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
-RUN chmod +x /docker-entrypoint.d/switch-config.sh
 
-# Создаем необходимые директории
+# Change these values to point to a running postgres instance
-RUN mkdir -p /var/www/certbot
+ENV KC_DB=postgres
+ENV KC_DB_URL_HOST=keycloak-db
+ENV KC_DB_URL_PORT=5432
+ENV KC_DB_URL_DATABASE=keycloak
+ENV KC_DB_USERNAME=keycloak
+ENV KC_DB_PASSWORD=keycloak
+
+ENV KC_HOSTNAME=yalarba.ru
+ENV KC_HOSTNAME_STRICT=true
+ENV KC_HOSTNAME_STRICT_HTTPS=true
+ENV KC_HOSTNAME_PATH=/auth
+ENV KC_HTTP_ENABLED=true
+ENV KC_HTTP_PORT=8080
+ENV KC_HTTP_RELATIVE_PATH=/auth
+ENV KC_PROXY=edge
+
+ENV KEYCLOAK_ADMIN=admin
+ENV KEYCLOAK_ADMIN_PASSWORD=admin
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

serv_nginx/nginx/nginx-ssl.conf

@@ -22,7 +22,7 @@ server {
     location / {
         return 301 https://$host$request_uri;
     }
-    # ✅ Добавляем uploads и в HTTP редирект
+    
     location /uploads/ {
         alias /uploads/;
         expires 1y;
@@ -33,7 +33,6 @@ server {
 }
 
 server {
-
     listen 443 ssl;
     server_name yalarba.ru www.yalarba.ru;
 
@@ -51,9 +50,30 @@ server {
         try_files $uri $uri/ /index.html;
     }
 
-    # New location for REST API
+    # Keycloak integration - исправленная конфигурация
+    location /auth/ {
+        proxy_pass http://keycloak_backend/auth/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        # Важные настройки для Keycloak
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
+        
+        # Таймауты
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+    }
+
+    # REST API
     location /api/ {
-        proxy_pass http://api/;
+        proxy_pass http://api_backend/;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -63,21 +83,9 @@ server {
         proxy_send_timeout 600;
         proxy_read_timeout 600;
     }
-
-    # Keycloak integration
-    location /auth/ {
-        proxy_pass http://keycloak/;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $host;
 }
 
-
+# Остальные server блоки остаются без изменений...
-}
-
-
 server {
     listen 443 ssl;
     server_name valitovgaziz.ru www.valitovgaziz.ru;
@@ -85,7 +93,6 @@ server {
     ssl_certificate /etc/letsencrypt/live/valitovgaziz.ru/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/valitovgaziz.ru/privkey.pem;
 
-    # Additional SSL settings
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
@@ -104,7 +111,6 @@ server {
     ssl_certificate /etc/letsencrypt/live/easysite102.ru/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/easysite102.ru/privkey.pem;
 
-    # Additional SSL settings
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
@@ -116,7 +122,6 @@ server {
     }
 }
 
-
 server {
     listen 443 ssl;
     server_name xn--80abahjtcfl5d0a8di.xn--p1ai www.xn--80abahjtcfl5d0a8di.xn--p1ai;
@@ -124,7 +129,6 @@ server {
     ssl_certificate /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/xn--80abahjtcfl5d0a8di.xn--p1ai/privkey.pem;
 
-    # Additional SSL settings
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
@@ -143,7 +147,6 @@ server {
     ssl_certificate /etc/letsencrypt/live/begushiybashkir.ru/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/begushiybashkir.ru/privkey.pem;
 
-    # Additional SSL settings
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
@@ -154,9 +157,8 @@ server {
         try_files $uri $uri/ /index.html;
     }
 
-    # New location for REST API
     location /api/ {
-        proxy_pass http://api_bb/;
+        proxy_pass http://api_bb_backend/;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -172,5 +174,4 @@ server {
         expires 1y;
         add_header Cache-Control "public, immutable";
     }
-
 }