haproxy.cfg

defaults
    timeout connect 10s
    timeout client 30s
    timeout server 30s
    log global
    mode http
    option httplog
    maxconn 3000
    log 127.0.0.1 local0

frontend haproxy
    #public IP address
    bind 10.240.0.12:80
    bind 10.240.0.12:443 ssl crt /etc/ssl/private/keycloak.example.com.pem

    # HTTPS redirect
    redirect scheme https code 301 if !{ ssl_fc }

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    http-request redirect scheme https unless { ssl_fc }
        default_backend sigstore_keycloak
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

backend sigstore_keycloak
    http-request redirect scheme https unless { ssl_fc }
        server sigstore_keycloak_internal 10.240.0.12:8080

backend letsencrypt-backend
    server certbot_internal 127.0.0.1:9080