From 044f6cf77750a8e128b64ad37c7e34c6af074960 Mon Sep 17 00:00:00 2001
From: David Lougheed <david.lougheed@gmail.com>
Date: Fri, 16 Feb 2024 14:39:39 -0500
Subject: [PATCH] don't set x-forwarded-proto twice - custom keycloak proxy
 settings

---
 conf/nginx.conf.tpl | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl
index d89583d..9f4d797 100644
--- a/conf/nginx.conf.tpl
+++ b/conf/nginx.conf.tpl
@@ -117,10 +117,21 @@ http {
 
         location / {
             # Reverse proxy settings
-            include     /gateway/conf/proxy.conf;
-
-            # Override a line from the above conf - we need Keycloak to be explicitly X-Forwarded-Proto https
-            proxy_set_header X-Forwarded-Proto https;
+            limit_req zone=perip burst=30;
+            limit_req zone=perserver burst=90;
+
+            proxy_pass_header       Server;
+            proxy_http_version      1.1;
+            proxy_set_header        Upgrade             $http_upgrade;
+            proxy_set_header        Connection          $connection_upgrade;
+            proxy_set_header        Host                $http_host;
+            proxy_set_header        X-Real-IP           $remote_addr;
+            proxy_set_header        X-Forwarded-Proto   https;  # explicitly set to https
+            proxy_set_header        X-Forwarded-Host    $host;
+            proxy_set_header        X-Forwarded-Port    $server_port;
+            proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
+
+            proxy_ignore_client_abort   on;
 
             # Immediate set/re-use means we don't get resolve errors if not up (as opposed to passing as a literal)
             set         $upstream_auth http://${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT_PLAIN_HTTP};