npub1tj54dz997wrdyqgf8sc36z3upy3ld0ujmwqyx42dtqxcwc7l68fqlx5ry2 (npub1tj5…5ry2) Even if in theory I could put both Keycloak and nginx to run directly behind my residential router and expose the ports directly, this isn't what I've done (neither what I've done for most of my web-based services).
I have a Linode box with a static public IP that runs nginx as a pure reverse proxy, it has some VPN interfaces configured, and it reverse proxies requests to the devices behind my router over VPN.
It may be excess of precaution, but in general I avoid exposing HTTP-based services directly through my residential router - better to have an external box connected over controlled VPN connections to reverse proxy the requests.