Named Bind9 example config
I would have though this to be a common deployment but I had quite a significant challenge in getting this setup to run
Here is my working config for Keycloak behind a reverse proxy
Traffic flow
Client keycloak.hawkless.id.au--->HTTPS--->HAProxy--->HTTPS--->Keycloak Container
haproxy.cfg
global maxconn 4000 tune.ssl.default-dh-param 2048listen stats bind 0.0.0.0:9010 mode http stats enable stats uri /stats stats realm HAProxy Statistics stats auth statsadmin:passwd
frontend http bind *:80 mode http
acl letsencrypt-acl path_beg -i /.well-known/acme-challenge/ http-request redirect scheme https if !letsencrypt-acl use_backend letsencrypt if letsencrypt-acl
timeout client 1h
backend letsencrypt mode http server letsencrypt 127.0.0.1:8888 timeout connect 1h timeout server 1h
backend kc mode http server cps01 127.0.0.1:8443 check ssl verify none timeout connect 1h timeout server 1h
frontend https bind *:443 ssl crt /certs/dev-server4.pem mode http use_backend kc if { ssl_fc_sni -i kc.hawkless.id.au } default_backend kc timeout client 1h
`PROXY_ADDRESS_FORWARDING = true` seems to conflict with using "http-request add-header X-Forwarded-Proto: https" in HAProxy which is required for some services(OpenStack Horizon)
So use PROXY_ADDRESS_FORWARDING = false and have HAProxy pass the traffic to the SSL port on the Keycloak container instead of the HTTPS port
Docker commands for Keycloak and HAProxy
docker run -d -p 8080:8080 -p 8443:8443 -e DB_VENDOR=MYSQL -e DB_ADDR=192.168.2.1 -e DB_DATABASE=keycloak -e DB_USER=keycloak -e DB_PASSWORD=dbpass -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=kcpass -e PROXY_ADDRESS_FORWARDING=false --name keycloak jboss/keycloak
docker run -d -p 9010:9010 -p 80:80 -p 443:443 --net host --name haproxy -v /home/ubuntu/proxy/config:/usr/local/etc/haproxy:ro -v /home/ubuntu/proxy/certs:/certs:ro haproxy haproxy -f /usr/local/etc/haproxy/haproxy.cfg