LoadModule ssl_module modules/mod_ssl.so
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so
LogLevel debug
Listen 443
# Redirect HTTP to HTTPS for auth.local
ServerName auth.local
Redirect permanent / https://auth.local/
# Redirect HTTP to HTTPS for api.local
ServerName api.local
Redirect permanent / https://api.local/
# Keycloak on auth.local
ServerName auth.local
ErrorLog ${APACHE_LOG_DIR}/auth_error.log
CustomLog ${APACHE_LOG_DIR}/auth_access.log combined
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
# Proxy all traffic to Keycloak
ProxyPass / http://keycloak:8080/
ProxyPassReverse / http://keycloak:8080/
ProxyPreserveHost On
Require all granted
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Host "auth.local"
# APIs on api.local
ServerName api.local
ErrorLog ${APACHE_LOG_DIR}/api_error.log
CustomLog ${APACHE_LOG_DIR}/api_access.log combined
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
# OIDC config - point to Keycloak via auth.local
OIDCProviderMetadataURL https://auth.local/realms/master/.well-known/openid-configuration
OIDCClientID soa-realm
OIDCRedirectURI https://api.local/api/redirect
OIDCClientSecret NuLgdHzPldRauqIln0I0TN5216PgX3Ty
OIDCCryptoPassphrase fdfd8280-13b5-11f0-a320-080027e6dc53
OIDCPassClaimsAs both
OIDCRemoteUserClaim email
OIDCSessionInactivityTimeout 86400
OIDCSSLValidateServer Off
# Proxy public API (no auth)
ProxyPass /public/ http://public_api:5001/
ProxyPassReverse /public/ http://public_api:5001/
# Proxy private API (OIDC protected)
ProxyPass /api/ http://user_api:5002/
ProxyPassReverse /api/ http://user_api:5002/
AuthType openid-connect
Require valid-user