Hi,
I’m a self hoster running a home lab. I’m semi new to Linux and Keycloak so please be gentle. 
I have successfully setup Keycloak with an OpenLDAP backend. I have it running the production profile with a wildcard cert from LetsEncrypt. Using the server’s internal hostname I can successfully authenticate using OpenId connect with any of my systems, Nextcloud, Proxmox, etc.. Now I am trying to setup a reverse proxy so I can use Keycloak outside my network. I have a domain registered. I have HAProxy setup on my OPNSense firewall. I have HAProxy configured and working well on Home Assistant, Nextcloud, Jellyfin, and more. However when I try to set it up for Keycloak I am experiencing issues. I have done like I do for the rest of my systems, “Real server” poitning to the intenral hostname of my Keycloak server, “Backend Pool” with the “Real Server” in it, “Condition” which matches to “idm.mydomainname.com”, and a rule to use the “Condition”. Then I add the “Rule” to my “Public Service” and apply the config. For the most part it appears to have worked, I can access Keycloak’s web UI using the public address. But when I try to use that public address from one of my applications they all complain. Nextcloud won’t even allow me to save the setting, Proxmox allows me to save but I get an error when trying to authenticate. Doing some testing from the Nextcloud server, I and curl the “.well-known/openid-configuration” address without issue but if I try to wget it I get a “400 Bad Request” error. If I try to bring it up in the browser the page views fine. This seems very strange to me. In the Nextcloud log I can see the same “400 Bad Request” error.
Here is the relevant part of my Keycloak config:
proxy=reencrypt
hostname-strict=false
proxy-headers=xforwarded
proxy-trusted-addresses=192.168.1.1
Planning to post a similar topic in the HAProxy forum in case this is something more on that side. But hoping someone can help. Thanks in advance.