Kurt108/analytics-admin.conf

## analytics-admin.conf
server {
    server_name analytics-admin-proxy.domain;
    root /var/www/piwik;
    access_log /var/log/nginx/access-piwik-admin.log combined;
    error_log /var/log/nginx/error-piwik-admin.log;
    index index.php;
    listen 8081 default_server;
    location / {
        try_files $uri $uri/ /index.php$args;
    }
    location /index.php {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTPS on;
    }

## analytics-proxy.conf
server {
    server_name analytics-admin.domain;
    root /var/www/piwik;
    access_log /var/log/nginx/access-piwik-adminproxy.log combined;
    error_log /var/log/nginx/error-piwik-adminproxy.log;
    listen 80;
    location / {
        proxy_pass http://analytics_proxy;
    }
}

## analytics.conf
server {
    server_name analytics.domain;
    root /var/www/piwik;
    access_log off;
    error_log /var/log/nginx/error-piwik.log;
    index piwik.php;
    listen 80 default_server;
    location / {
        try_files $uri $uri/ /index.php$args;
    }
    location = /piwik.php {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTPS on;
    }
    location /index.php {
        if ($arg_action != optOut) {
            return 404;
        }
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTPS on;
    }

## gistfile1.txt
analytics.domain:80 => nginx serving index.php
analytics-admin.domain:80 => nginx proxy forward to localhost:81
localhost:81 => keycloak-proxy authenticates against sso => forwards to localhost:8081
localhost:8081 => nginx serving piwik.php

## keycloak.conf
client-id: xxxxxxxxxx
client-secret: axxxxxxxxxxx
discovery-url: https://sso.domain/.well-known/openid-configuration
listen: 0.0.0.0:81
log-json: true
log-requests: true
redirection-url: https://analytics-admin.domain
resources:
- uri: /*
secure-cookie: true
upstream-url: http://127.0.0.1:8081
verbose: true
headers:
Authorization:
  Basic:
    - Piwik
	server {
	server_name analytics-admin-proxy.domain;
	root /var/www/piwik;
	access_log /var/log/nginx/access-piwik-admin.log combined;
	error_log /var/log/nginx/error-piwik-admin.log;
	index index.php;
	listen 8081 default_server;
	location / {
	try_files $uri $uri/ /index.php$args;
	}
	location /index.php {
	fastcgi_pass 127.0.0.1:9000;
	fastcgi_split_path_info ^(.+\.php)(/.*)$;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param HTTPS on;
	}
	server {
	server_name analytics-admin.domain;
	root /var/www/piwik;
	access_log /var/log/nginx/access-piwik-adminproxy.log combined;
	error_log /var/log/nginx/error-piwik-adminproxy.log;
	listen 80;
	location / {
	proxy_pass http://analytics_proxy;
	}
	}
	server {
	server_name analytics.domain;
	root /var/www/piwik;
	access_log off;
	error_log /var/log/nginx/error-piwik.log;
	index piwik.php;
	listen 80 default_server;
	location / {
	try_files $uri $uri/ /index.php$args;
	}
	location = /piwik.php {
	fastcgi_pass 127.0.0.1:9000;
	fastcgi_split_path_info ^(.+\.php)(/.*)$;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param HTTPS on;
	}
	location /index.php {
	if ($arg_action != optOut) {
	return 404;
	}
	fastcgi_pass 127.0.0.1:9000;
	fastcgi_split_path_info ^(.+\.php)(/.*)$;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param HTTPS on;
	}
	analytics.domain:80 => nginx serving index.php
	analytics-admin.domain:80 => nginx proxy forward to localhost:81
	localhost:81 => keycloak-proxy authenticates against sso => forwards to localhost:8081
	localhost:8081 => nginx serving piwik.php
	client-id: xxxxxxxxxx
	client-secret: axxxxxxxxxxx
	discovery-url: https://sso.domain/.well-known/openid-configuration
	listen: 0.0.0.0:81
	log-json: true
	log-requests: true
	redirection-url: https://analytics-admin.domain
	resources:
	- uri: /*
	secure-cookie: true
	upstream-url: http://127.0.0.1:8081
	verbose: true
	headers:
	Authorization:
	Basic:
	- Piwik