mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
enable-gitlab-spamcheck
infrastructure/roles/keycloak/templates/nginx.d.conf.j2
Kristian Klausen bd0bae9f48
keycloak: Bump buffer size to make room for response headers 
Keycloak is apparently sending over 4k worth of response headers under
some circumstances (maybe when the client sends a stale cookie?), which
causes Nginx to return a 502 error and log "upstream sent too big header
while reading response header from upstream". This is likely also
related to this upstream issue[1]. So bump the buffer to 8k.

[1] https://github.com/keycloak/keycloak/issues/16181
2023-01-05 21:04:35 +01:00

66 lines
2.4 KiB
Django/Jinja
Raw Permalink Blame History

server {
listen 80;
listen [::]:80;
server_name {{ keycloak_domain }};
access_log /var/log/nginx/{{ keycloak_domain }}/access.log reduced;
access_log /var/log/nginx/{{ keycloak_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ keycloak_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ keycloak_domain }};
access_log /var/log/nginx/{{ keycloak_domain }}/access.log reduced;
access_log /var/log/nginx/{{ keycloak_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ keycloak_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ keycloak_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ keycloak_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ keycloak_domain }}/chain.pem;
root {{ keycloak_domain }};
# https://w3c.github.io/webappsec-change-password-url/
location = /.well-known/change-password {
return 302 https://$server_name/realms/archlinux/account/#/security/signingin;
}
location ~ /realms/[a-z]+/metrics {
auth_basic "Prometheus exporter";
auth_basic_user_file {{ keycloak_nginx_htpasswd }};
access_log /var/log/nginx/{{ keycloak_domain }}/access.log main;
access_log /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:{{ keycloak_port }};
}
location / {
access_log /var/log/nginx/{{ keycloak_domain }}/access.log main;
access_log /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:{{ keycloak_port }};
proxy_buffer_size 8k;
}
location = / {
return 301 https://$server_name/realms/archlinux/account;
}
}
View Git Blame Copy Permalink