Smaller nginx vhost-generation issues, separate from the routing / config-validation bugs in #155.
1. WebSocket vhosts use a 60s proxy read/send timeout
Generated vhosts set:
proxy_read_timeout 60s;
proxy_send_timeout 60s;
Fine for HTTP, but too short for long-lived WebSocket connections: an idle socket with no frames for 60s is closed by nginx, causing reconnect loops on quiet connections. For domains that proxy WebSockets the read/send timeout should be large (for example 3600s) or configurable per domain.
2. Connection "upgrade" is set unconditionally, even on plain-HTTP vhosts
Every generated location sets:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
On a vhost proxying a normal HTTP service this sends a stray Connection: upgrade on every request and disables upstream keep-alive. The standard pattern is conditional:
map $http_upgrade $connection_upgrade { default upgrade; '' close; }
# then per location: proxy_set_header Connection $connection_upgrade;
3. ssl_stapling enabled for certs with no OCSP responder
ssl_stapling on; ssl_stapling_verify on; is emitted for every vhost, but certs without an OCSP responder URL log a warning on every nginx -t / reload:
"ssl_stapling" ignored, no OCSP responder URL in the certificate ...
Harmless but noisy: it buries real errors in the config-test output. Either skip stapling when the cert has no OCSP URL, or document it.
4. No validation that a domain's target service/port is listening
A domain can be mapped to a service/port where nothing listens (for example a container that only runs a process on a different port), and the vhost is generated and reloaded with no warning. The result is a silently dead route. A pre-save check (the target service+port accepts a connection) would catch this.
These are improvements / cleanups; #155 covers the two functional bugs (cross-deployment upstream collision, and the non-configurable server_names_hash_bucket_size).
Smaller nginx vhost-generation issues, separate from the routing / config-validation bugs in #155.
1. WebSocket vhosts use a 60s proxy read/send timeout
Generated vhosts set:
Fine for HTTP, but too short for long-lived WebSocket connections: an idle socket with no frames for 60s is closed by nginx, causing reconnect loops on quiet connections. For domains that proxy WebSockets the read/send timeout should be large (for example 3600s) or configurable per domain.
2.
Connection "upgrade"is set unconditionally, even on plain-HTTP vhostsEvery generated location sets:
On a vhost proxying a normal HTTP service this sends a stray
Connection: upgradeon every request and disables upstream keep-alive. The standard pattern is conditional:3.
ssl_staplingenabled for certs with no OCSP responderssl_stapling on; ssl_stapling_verify on;is emitted for every vhost, but certs without an OCSP responder URL log a warning on everynginx -t/ reload:Harmless but noisy: it buries real errors in the config-test output. Either skip stapling when the cert has no OCSP URL, or document it.
4. No validation that a domain's target service/port is listening
A domain can be mapped to a service/port where nothing listens (for example a container that only runs a process on a different port), and the vhost is generated and reloaded with no warning. The result is a silently dead route. A pre-save check (the target service+port accepts a connection) would catch this.
These are improvements / cleanups; #155 covers the two functional bugs (cross-deployment upstream collision, and the non-configurable
server_names_hash_bucket_size).