keycloak の NGNX設定(SSLアクセラレーション)

nginx keycloak

めもめも

  • HTTPS での接続を HTTPでProxyする
  • HTTP での接続はそのまま繋げる
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;
        server_name ${domain name};

        port_in_redirect off;


        location / {
             proxy_set_header Host $http_host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-Host $http_host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;

             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
             proxy_pass http://keycloak;
        }
}

server {
        listen 443;
        server_name ${domain name};

        ssl                 on;
        ssl_certificate     ${server.crt};
        ssl_certificate_key ${server.key};

        #    ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        port_in_redirect off;

        location / {
             proxy_set_header Host $http_host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-Host $http_host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;

             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";

             proxy_pass http://keycloak;
             proxy_redirect http:// https://;
        }
}

upstream keycloak {
    server localhost:8080;
}

参考

【Nginx】リバースプロキシとSSLオフロード(アクセラレーション) | ぴぐろぐ

qiita.com