system-config/playbooks/roles/keycloak/templates/keycloak.vhost.j2

<VirtualHost *:80>
  ServerName keycloak.opendev.org
  ServerAdmin webmaster@openstack.org

  ErrorLog ${APACHE_LOG_DIR}/keycloak-error.log

  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/keycloak-access.log combined

  Redirect / https://keycloak.opendev.org/

</VirtualHost>

<VirtualHost *:443>
  ServerName keycloak.opendev.org
  ServerAdmin webmaster@openstack.org

  AllowEncodedSlashes On

  ErrorLog ${APACHE_LOG_DIR}/keycloak-ssl-error.log

  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/keycloak-ssl-access.log combined

  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Note: this list should ensure ciphers that provide forward secrecy
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on

  SSLCertificateFile /etc/letsencrypt-certs/keycloak.opendev.org/keycloak.opendev.org.cer
  SSLCertificateKeyFile /etc/letsencrypt-certs/keycloak.opendev.org/keycloak.opendev.org.key
  SSLCertificateChainFile /etc/letsencrypt-certs/keycloak.opendev.org/ca.cer

  BrowserMatch "MSIE [2-6]" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  RewriteEngine on

  # Do not rewrite the /server-status URL (though by default, this
  # is only accessible from localhost).  Connect to it with:
  # ssh -L 8443:localhost:443 $HOSTNAME
  # https://localhost:8443/server-status
  RewriteRule ^/server-status$ /server-status [L]

  ProxyPass  / http://[::1]:8080/ retry=0
  ProxyPassReverse / http://[::1]:8080/
  ProxyPreserveHost on
  RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

</VirtualHost>