In Keycloak docs it’s recommended that we do not expose some URLs for the sake of security.
For example, the
/admin should not be (or needs not to be) exposed.
However, we have an instance of a Keycloak on a VPS which we have rented from a VPS provider, and we have an Nginx reverse proxy on the same VPS.
My question is, if we don’t expose those URLs, then how can we access those paths?
Maybe there is something that I’m missing from the overall architecture here.
You can expose them using another reverse proxy, but with source address restrictions. The idea is that you probably don’t want the admin console open to the internet, but sometimes this is not possible.
In that case, you can expose the admin console under another hostname and IP address if possible, one that is not visible for your normal users.
Thank you @weltonrodrigo I understood. Like always a more secure solution means a more expensive and a more sophisticated solution. I guess for now we would only stick with strong username passwords and MFAs for admin.