[keycloak-user] How to configure Keycloak in case of Reverse Proxy with NAT?

[Michael Furman]

Hi all,
I need to configure Keycloak to work behind Reverse Proxy with Network Address Translation
I have servers that have the external IP to access from a browser and internal IP for inter process access.
Also, it is not possible to access from internal IPs to external IPs.

Therefore, the following configuration should be returned upon the call of http://<external IP>/auth/realms/master/.well-known/openid-configuration<http://%3cexternal%20IP%3e/auth/realms/master/.well-known/openid-configuration>:

  "issuer":"http://<external IP>/auth/realms/master<http://%3cexternal%20IP%3e/auth/realms/master>",
  "authorization_endpoint":"http://<external IP>/auth/realms/master/protocol/openid-connect/auth<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/auth>",
  "token_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/token<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/token>",
  "userinfo_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/userinfo<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/userinfo>",
  "jwks_uri":"http://<internal IP>/auth/realms/master/protocol/openid-connect/certs<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/certs>",
  "end_session_endpoint":"http://<external IP>/auth/realms/master/protocol/openid-connect/logout<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/logout>",
  "check_session_iframe":"http://<external IP>/auth/realms/master/protocol/openid-connect/login-status-iframe.html<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/login-status-iframe.html>",
  "token_introspection_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/token/introspect<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/token/introspect>",

Will happy for any insights.
Michael