diff --git a/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2 b/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
index 6ac9fa6d..50047ce0 100644
--- a/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
+++ b/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
@@ -16,7 +16,7 @@ server
   {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
 
   {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
-    {% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', True) | default({}) %}
+    {% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', False, {}) %}
 
     {% if acl.blacklist is defined %}
       {# 1. Expose everything by default, then protect blacklisted paths #}
diff --git a/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
index 9f55d692..3a2aed63 100644
--- a/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@@ -1,7 +1,7 @@
 http_address            =   "0.0.0.0:4180"
 cookie_secret           =   "{{ applications | get_app_conf(oauth2_proxy_application_id, 'credentials.oauth2_proxy_cookie_secret', True) }}"
 cookie_secure           =   "true"                                                                                                                                                  # True is necessary to force the cookie set via https
-upstreams               =   "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}"
+upstreams               =   "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.port', True) }}"
 cookie_domains          =   ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('keycloak') }}"]                                                   # Required so cookie can be read on all subdomains.
 whitelist_domains       =   [".{{ primary_domain }}"]                                                                                                                               # Required to allow redirection back to original requested target.
 
@@ -13,7 +13,7 @@ oidc_issuer_url         =   "{{ oidc.client.issuer_url }}"
 provider                =   "oidc"
 provider_display_name   =   "{{ oidc.button_text }}"
 
-{% if applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', True) is defined %}
+{% if applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', False) %}
 {# role based restrictions #}
 scope                   =   "openid email profile {{ oidc.claims.groups }}"
 oidc_groups_claim       =   "{{ oidc.claims.groups }}"