Azure Web Application Firewall rule to set exposed path recommendations for Keycloak and restrict by host requester header and permitted remote IP addresses.

az_waf_keycloak_exposed_path_recommendations.json

# Change the {{ host }} value in  []matchConditions > {} 0 > [] matchValues to a array of host header 
# values allowed and {{ remoteAddr }} value and []matchConditions > {} 2 > [] matchValues to an array 
# of remote IP addresses allowed.

# For more information on exposed path recommendations in Keycloak, see 
# https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations

{
   "action": "Block",
   "matchConditions": [
      {
         "matchValues": [
            "{{ host }}"
         ],
         "matchVariables": [
            {
               "selector": "host",
               "variableName": "RequestHeaders"
            }
         ],
         "negationConditon": false,
         "operator": "Equal",
         "transforms": []
      },
      {
         "matchValues": [
            "\\/welcome",
            "\\/metrics",
            "\\/health",
            "\\/$",
            "\\/admin.*"
         ],
         "matchVariables": [
            {
               "variableName": "RequestUri"
            }
         ],
         "negationConditon": false,
         "operator": "Regex",
         "transforms": []
      },
      {
         "matchValues": [
            "{{ remoteAddr }}"
         ],
         "matchVariables": [
            {
               "variableName": "RemoteAddr"
            }
         ],
         "negationConditon": true,
         "operator": "IPMatch",
         "transforms": []
      }
   ],
   "name": "KeycloakExposedPathRecommendations",
   "priority": 99,
   "ruleType": "MatchRule",
   "state": "Enabled"
}