Grafana with Screenly OSE
To use Grafana Bearer tokens you need to be able to inject headers which you can’t do in the OSS version of Screenly. To get around this you can just run a NGiNX proxy on the host and reverse proxy to the Grafana server and use NGiNX to inject the required headers.
I HAVEN’T TESTED THIS YET ON SCREENLY OSE, BUT SINCE IT’S JUST RUNNING ON RAPSBERRY PI OS THERE SHOULDN’T BE AN ISSUE, I WILL BE TESTING EVENTUALLY
Proxy website through NGiNX to get on the TOR network
This tutorial assumings the set up below
NGINX CLEARWEB (web site hosted via SSL port 443) -> NGINX (reverse proxy for HTTPS website, converts website to HTTP and rewrites all 'DOMAIN.COM' to new .ONION address) -> TOR PROXY SERVICE
Install Tor
apt install tor
Configure Tor
nano /etc/tor/torrc
Add the lines below to the file above
HiddenServiceDir /var/lib/tor/domain.com/ HiddenServicePort 80 127.0.0.1:4879 Find Tor hostname
cat /var/lib/tor/domain.com/hostname
Now it’s time to configure NGiNX
Keycloak behind NGiNX
Configure NGiNX nano /etc/nginx/conf.d/sso.domain.com.conf
server { listen 443 ssl http2; server_name sso.domain.com; ssl_certificate /etc/nginx/ssl/sso.domain.com/fullchain.crt; ssl_certificate_key /etc/nginx/ssl/sso.domain.com/key; ssl_session_timeout 5m; location / { proxy_pass http://127.0.0.1:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; } } Configure Keycloak The following is needs to be ran for Keycloak to work behind nginx
cd bin
./jboss-cli.sh 'embed-server,/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)'
./jboss-cli.sh 'embed-server,/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)'
4 ./jboss-cli.sh 'embed-server,/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)'