Named \ Bind9 example config

I came across this nice example of a bind9 config file that handles multiple subnet\vlans\zones and treats them differently

server:/var/named/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.

acl "lan" {

acl "guest" {;;

options {
directory "/var/cache/bind";
listen-on { "localhost"; };

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

// query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

auth-nxdomain no; # conform to RFC1035


include "/etc/bind/rndc.key";

controls {
inet port 953
allow {; } keys { "rndc-key"; };

view "internal" {
match-clients { "lan"; };

recursion yes;

// forwarders {; };
forwarders {;; } ;

include "/etc/bind/named.conf.internal";


view "guest" {
match-clients { "guest"; };

recursion yes;

include "/etc/bind/named.conf.guest";


view "external" {
match-clients { any; };

recursion no;

include "/etc/bind/named.conf.external";


Keycloak + HAProxy

I would have though this to be a common deployment but I had quite a significant challenge in getting this setup to run


Here is my working config for Keycloak behind a reverse proxy

Traffic flow

Client—>HTTPS—>HAProxy—>HTTPS—>Keycloak Container



maxconn 4000
tune.ssl.default-dh-param 2048

listen stats
mode http
stats enable
stats uri /stats
stats realm HAProxy Statistics
stats auth statsadmin:passwd

frontend http
bind *:80
mode http

acl letsencrypt-acl path_beg -i /.well-known/acme-challenge/
http-request redirect scheme https if !letsencrypt-acl
use_backend letsencrypt if letsencrypt-acl

timeout client 1h

backend letsencrypt
mode http
server letsencrypt
timeout connect 1h
timeout server 1h

backend kc
mode http
server cps01 check ssl verify none
timeout connect 1h
timeout server 1h

frontend https
bind *:443 ssl crt /certs/dev-server4.pem
mode http
use_backend kc if { ssl_fc_sni -i }
default_backend kc
timeout client 1h


PROXY_ADDRESS_FORWARDING = true seems to conflict with using “http-request add-header X-Forwarded-Proto: https” in HAProxy which is required for some services(OpenStack Horizon)
So use PROXY_ADDRESS_FORWARDING = false and have HAProxy pass the traffic to the SSL port on the Keycloak container instead of the HTTPS port

Docker commands for Keycloak and HAProxy

docker run -d -p 8080:8080 -p 8443:8443  -e DB_VENDOR=MYSQL -e DB_ADDR= -e DB_DATABASE=keycloak -e DB_USER=keycloak -e DB_PASSWORD=dbpass -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=kcpass -e PROXY_ADDRESS_FORWARDING=false --name keycloak jboss/keycloak
docker run -d -p 9010:9010 -p 80:80 -p 443:443 --net host --name haproxy -v /home/ubuntu/proxy/config:/usr/local/etc/haproxy:ro -v /home/ubuntu/proxy/certs:/certs:ro haproxy haproxy -f /usr/local/etc/haproxy/haproxy.cfg