events {
}

http {

  server {
    listen 80;
    server_name _;

    location /.well-known/acme-challenge {
      root /acme;
      try_files $uri $uri/ =404;
    }

    location / {
      return 301 https://$host$request_uri;
    }
  }

  server {
    listen 443 ssl;
    server_name _;

    include       /etc/nginx/mime.types;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate     /certs/keycloak-cert.pem;
    ssl_certificate_key /certs/keycloak-key.pem;

    proxy_set_header X-Forwarded-For $proxy_protocol_addr; # To forward the original client's IP address
    proxy_set_header X-Forwarded-Proto $scheme;            # To forward the  original protocol (HTTP or HTTPS)
    proxy_set_header Host $host;                           # To forward the original host requested by the client

    location / {
      proxy_pass http://keycloak:8080;       # 'keycloak' refers to Keycloak's container name in docker-compose
    }
  }
}