Skip to content
heavy alpha — not for production use
Reverse Proxy

Reverse Proxy

Caddy (recommended)

The bootstrap script can configure Caddy as an automatic SSL reverse proxy. If you chose Caddy during install, no further configuration is needed — Caddy handles certificate provisioning and renewal automatically via Let’s Encrypt.


Cloudflare / custom proxy

If you’re running Lintune behind Cloudflare or another proxy, Keycloak needs to be explicitly told it is behind a proxy and what its public hostname is — otherwise it generates incorrect redirect URLs.

Update /opt/keycloak/keycloak.conf:

proxy-headers=xforwarded
hostname=auth.yourdomain.com
http-enabled=true
Setting Description
proxy-headers xforwarded — tells Keycloak to trust X-Forwarded-* headers from the proxy
hostname Your public Keycloak domain
http-enabled true — allows Keycloak to accept plain HTTP from the local proxy while the proxy handles public HTTPS

After changing keycloak.conf, restart Keycloak:

cd /opt/keycloak && docker compose restart

Lintune admin / dash

Both Laravel apps trust proxy headers when running in Docker. APP_URL in each env file must be set to the public HTTPS URL, and the proxy must forward X-Forwarded-For and X-Forwarded-Proto headers.

KEYCLOAK_BASE_URL must also match the public HTTPS URL and must not have a trailing slash — a trailing slash produces double-slash paths that Keycloak rejects.

# Correct
KEYCLOAK_BASE_URL=https://auth.yourdomain.com

# Wrong — trailing slash breaks Keycloak API calls
KEYCLOAK_BASE_URL=https://auth.yourdomain.com/