From d8d59f944cce4071672dc8a8bbdbc6e6efd5545f Mon Sep 17 00:00:00 2001
From: David Lougheed <david.lougheed@gmail.com>
Date: Fri, 16 Feb 2024 11:45:08 -0500
Subject: [PATCH 1/6] fix: forward traffic to keycloak if tls_no+internal_idp

---
 conf/nginx.conf.tpl | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl
index 519994b..b718ec0 100644
--- a/conf/nginx.conf.tpl
+++ b/conf/nginx.conf.tpl
@@ -107,6 +107,24 @@ http {
 
     # tpl__tls_yes__end
 
+    # tpls__tls_no__start
+    # tpl__internal_idp__start
+    # Keycloak
+    server {
+        listen 80;
+        server_name ${BENTOV2_AUTH_DOMAIN};
+
+        # Reverse proxy settings
+        include /gateway/conf/proxy.conf;
+
+        set $upstream_auth ${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT};
+        proxy_pass  $upstream_auth;
+
+        error_log /var/log/bentov2_auth_errors.log;
+    }
+    # tpl__internal_idp__end
+    # tpls__tls_no__end
+
     # Bento Public
     map $http_origin $public_cors {
         default                          '';

From 376945ac061b1212a3092ac8d78c3bb003da73f9 Mon Sep 17 00:00:00 2001
From: David Lougheed <david.lougheed@gmail.com>
Date: Fri, 16 Feb 2024 11:55:16 -0500
Subject: [PATCH 2/6] typo+lint

---
 conf/nginx.conf.tpl | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl
index b718ec0..8ea8a0a 100644
--- a/conf/nginx.conf.tpl
+++ b/conf/nginx.conf.tpl
@@ -107,23 +107,23 @@ http {
 
     # tpl__tls_yes__end
 
-    # tpls__tls_no__start
+    # tpl__tls_no__start
     # tpl__internal_idp__start
     # Keycloak
     server {
-        listen 80;
+        listen      80;
         server_name ${BENTOV2_AUTH_DOMAIN};
 
         # Reverse proxy settings
-        include /gateway/conf/proxy.conf;
+        include     /gateway/conf/proxy.conf;
 
-        set $upstream_auth ${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT};
+        set         $upstream_auth ${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT};
         proxy_pass  $upstream_auth;
 
-        error_log /var/log/bentov2_auth_errors.log;
+        error_log   /var/log/bentov2_auth_errors.log;
     }
     # tpl__internal_idp__end
-    # tpls__tls_no__end
+    # tpl__tls_no__end
 
     # Bento Public
     map $http_origin $public_cors {

From 5dae3e4ca377fe73df791e6dbced01f87336d35a Mon Sep 17 00:00:00 2001
From: David Lougheed <david.lougheed@gmail.com>
Date: Fri, 16 Feb 2024 13:22:39 -0500
Subject: [PATCH 3/6] fix: location block (no-tls, internal-idp)

---
 conf/nginx.conf.tpl | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl
index 8ea8a0a..74bccd4 100644
--- a/conf/nginx.conf.tpl
+++ b/conf/nginx.conf.tpl
@@ -114,13 +114,15 @@ http {
         listen      80;
         server_name ${BENTOV2_AUTH_DOMAIN};
 
-        # Reverse proxy settings
-        include     /gateway/conf/proxy.conf;
+        location / {
+            # Reverse proxy settings
+            include     /gateway/conf/proxy.conf;
 
-        set         $upstream_auth ${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT};
-        proxy_pass  $upstream_auth;
+            set         $upstream_auth ${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT};
+            proxy_pass  $upstream_auth;
 
-        error_log   /var/log/bentov2_auth_errors.log;
+            error_log   /var/log/bentov2_auth_errors.log;
+        }
     }
     # tpl__internal_idp__end
     # tpl__tls_no__end

From 68a9cfd199d44c74b67bdbed17aaf7c67be28643 Mon Sep 17 00:00:00 2001
From: David Lougheed <david.lougheed@gmail.com>
Date: Fri, 16 Feb 2024 13:27:30 -0500
Subject: [PATCH 4/6] fix: missing http for proxy pass

---
 conf/nginx.conf.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl
index 74bccd4..c959ff2 100644
--- a/conf/nginx.conf.tpl
+++ b/conf/nginx.conf.tpl
@@ -118,7 +118,7 @@ http {
             # Reverse proxy settings
             include     /gateway/conf/proxy.conf;
 
-            set         $upstream_auth ${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT};
+            set         $upstream_auth http://${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT};
             proxy_pass  $upstream_auth;
 
             error_log   /var/log/bentov2_auth_errors.log;

From 94bb12d9112ea95bbe47a0f952b52ba8a6044092 Mon Sep 17 00:00:00 2001
From: David Lougheed <david.lougheed@gmail.com>
Date: Fri, 16 Feb 2024 13:30:03 -0500
Subject: [PATCH 5/6] lint: add comment [no ci]

---
 conf/nginx.conf.tpl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl
index c959ff2..d598fbe 100644
--- a/conf/nginx.conf.tpl
+++ b/conf/nginx.conf.tpl
@@ -118,6 +118,7 @@ http {
             # Reverse proxy settings
             include     /gateway/conf/proxy.conf;
 
+            # Immediate set/re-use means we don't get resolve errors if not up (as opposed to passing as a literal)
             set         $upstream_auth http://${BENTOV2_AUTH_CONTAINER_NAME}:${BENTOV2_AUTH_INTERNAL_PORT};
             proxy_pass  $upstream_auth;
 

From c6f61b89117e5c0e2de3c569c35e53f6a5f222d9 Mon Sep 17 00:00:00 2001
From: David Lougheed <david.lougheed@gmail.com>
Date: Fri, 16 Feb 2024 13:31:01 -0500
Subject: [PATCH 6/6] lint: comment [no ci]

---
 conf/nginx.conf.tpl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl
index d598fbe..259d9d0 100644
--- a/conf/nginx.conf.tpl
+++ b/conf/nginx.conf.tpl
@@ -109,7 +109,8 @@ http {
 
     # tpl__tls_no__start
     # tpl__internal_idp__start
-    # Keycloak
+    # Keycloak for no-TLS setups; in this case, the TLS connection is terminated before traffic gets to the gateway, so
+    # we have to proxy_pass here instead of streaming traffic above.
     server {
         listen      80;
         server_name ${BENTOV2_AUTH_DOMAIN};