Named \ Bind9 example config

I came across this nice example of a bind9 config file that handles multiple subnet\vlans\zones and treats them differently

server:/var/named/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//

acl "lan" {
"localhost";
192.168.16.0/24;
};

acl "guest" {
192.168.0.0/16;
10.0.0.0/8;
};

options {
directory "/var/cache/bind";
listen-on { "localhost"; };

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

// query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

auth-nxdomain no; # conform to RFC1035

};

include "/etc/bind/rndc.key";

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

view "internal" {
match-clients { "lan"; };

recursion yes;

// forwarders { 192.168.1.254; };
forwarders { 8.8.8.8; 8.8.4.4; } ;

include "/etc/bind/named.conf.internal";

};

view "guest" {
match-clients { "guest"; };

recursion yes;

include "/etc/bind/named.conf.guest";

};

view "external" {
match-clients { any; };

recursion no;

include "/etc/bind/named.conf.external";

};


Keycloak + HAProxy

I would have though this to be a common deployment but I had quite a significant challenge in getting this setup to run

 

Here is my working config for Keycloak behind a reverse proxy

Traffic flow

Client keycloak.hawkless.id.au—>HTTPS—>HAProxy—>HTTPS—>Keycloak Container

 

haproxy.cfg

global
maxconn 4000
tune.ssl.default-dh-param 2048

listen stats
bind 0.0.0.0:9010
mode http
stats enable
stats uri /stats
stats realm HAProxy Statistics
stats auth statsadmin:passwd


frontend http
bind *:80
mode http

acl letsencrypt-acl path_beg -i /.well-known/acme-challenge/
http-request redirect scheme https if !letsencrypt-acl
use_backend letsencrypt if letsencrypt-acl

timeout client 1h


backend letsencrypt
mode http
server letsencrypt 127.0.0.1:8888
timeout connect 1h
timeout server 1h

backend kc
mode http
server cps01 127.0.0.1:8443 check ssl verify none
timeout connect 1h
timeout server 1h


frontend https
bind *:443 ssl crt /certs/dev-server4.pem
mode http
use_backend kc if { ssl_fc_sni -i kc.hawkless.id.au }
default_backend kc
timeout client 1h



 

PROXY_ADDRESS_FORWARDING = true seems to conflict with using “http-request add-header X-Forwarded-Proto: https” in HAProxy which is required for some services(OpenStack Horizon)
So use PROXY_ADDRESS_FORWARDING = false and have HAProxy pass the traffic to the SSL port on the Keycloak container instead of the HTTPS port

Docker commands for Keycloak and HAProxy

docker run -d -p 8080:8080 -p 8443:8443  -e DB_VENDOR=MYSQL -e DB_ADDR=192.168.2.1 -e DB_DATABASE=keycloak -e DB_USER=keycloak -e DB_PASSWORD=dbpass -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=kcpass -e PROXY_ADDRESS_FORWARDING=false --name keycloak jboss/keycloak
docker run -d -p 9010:9010 -p 80:80 -p 443:443 --net host --name haproxy -v /home/ubuntu/proxy/config:/usr/local/etc/haproxy:ro -v /home/ubuntu/proxy/certs:/certs:ro haproxy haproxy -f /usr/local/etc/haproxy/haproxy.cfg