stack-orchestrator/app/data/config/mainnet-eth-keycloak/nginx.example

server {
    listen 80;
    server_name my.example.com;

    # See: https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode
    # and  https://datatracker.ietf.org/doc/html/rfc8555
    location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
      default_type text/plain;
      return 200 "$1.MY_ACCOUNT_THUMBPRINT_GOES_HERE";
    }

    location / {
      return 301 https://$host$request_uri;
    }
}

upstream geth-pool {
  keepalive 100;
  hash $user_id consistent;
  server server-a:8545;
  server server-b:8545;
  server server-c:8545;
}

# self-reg happens on one server for clarity
upstream reg-ui-pool {
  keepalive 100;
  server server-a:8085;
}

upstream reg-api-pool {
  keepalive 100;
  server server-a:8086;
}

# auth uses server-a if available
upstream auth-pool {
  keepalive 100;
  server server-a:8080;
  server server-b:8080 backup;
  server server-c:8080 backup;
}

log_format upstreamlog '[$time_local] $remote_addr $user_id - $server_name $host to: $upstream_addr: $request $status upstream_response_time $upstream_response_time msec $msec request_time $request_time';
proxy_cache_path                /var/cache/nginx/auth_cache levels=1 keys_zone=auth_cache:1m max_size=5m inactive=60m;
server {
    listen 443 ssl http2;
    server_name my.example.com;
    access_log /var/log/nginx/my.example.com-access.log upstreamlog;
    error_log /var/log/nginx/my.example.com-error.log;

    ssl_certificate /etc/nginx/ssl/my.example.com/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/my.example.com/key.pem;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    #rewrite ^/?$ /newuser/;
    rewrite ^/?$ https://www.example.com/;


    # geth-pool ETH API
    location ~ ^/v1/eth/?([^/]*)$ {
        set $apiKey $1;
        if ($apiKey = '') {
          set $apiKey $http_X_API_KEY;
        }
        auth_request /auth;
        auth_request_set $user_id $sent_http_x_user_id;
        rewrite /.*$ / break;

        client_max_body_size 3m;
        client_body_buffer_size 3m;
        proxy_buffer_size          32k;
        proxy_buffers              16 32k;
        proxy_busy_buffers_size    96k;

        proxy_pass  http://geth-pool;
        proxy_set_header X-Original-Remote-Addr $remote_addr;
        proxy_set_header X-User-Id $user_id;
    }
    
    # keycloak
    location = /auth {
        internal;
        proxy_cache auth_cache;
        proxy_cache_key "$apiKey";
        proxy_cache_valid 200 300s;
        proxy_cache_valid 401 30s;
        proxy_pass http://auth-pool/auth/realms/cerc/check?memberOf=eth&apiKey=$apiKey;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_set_header X-Original-Remote-Addr $remote_addr;
        proxy_set_header X-Original-Host $host;
    }

    location /newuser/ {
        proxy_pass  http://reg-ui-pool/;
    }

    location /user-api/ {
        proxy_pass  http://reg-api-pool/;
    }
}