Skip to content

nginx vhost generation: WebSocket timeouts, unconditional upgrade header, ssl_stapling noise, missing target validation #156

Description

@nfebe

Smaller nginx vhost-generation issues, separate from the routing / config-validation bugs in #155.

1. WebSocket vhosts use a 60s proxy read/send timeout

Generated vhosts set:

proxy_read_timeout 60s;
proxy_send_timeout 60s;

Fine for HTTP, but too short for long-lived WebSocket connections: an idle socket with no frames for 60s is closed by nginx, causing reconnect loops on quiet connections. For domains that proxy WebSockets the read/send timeout should be large (for example 3600s) or configurable per domain.

2. Connection "upgrade" is set unconditionally, even on plain-HTTP vhosts

Every generated location sets:

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

On a vhost proxying a normal HTTP service this sends a stray Connection: upgrade on every request and disables upstream keep-alive. The standard pattern is conditional:

map $http_upgrade $connection_upgrade { default upgrade; '' close; }
# then per location: proxy_set_header Connection $connection_upgrade;

3. ssl_stapling enabled for certs with no OCSP responder

ssl_stapling on; ssl_stapling_verify on; is emitted for every vhost, but certs without an OCSP responder URL log a warning on every nginx -t / reload:

"ssl_stapling" ignored, no OCSP responder URL in the certificate ...

Harmless but noisy: it buries real errors in the config-test output. Either skip stapling when the cert has no OCSP URL, or document it.

4. No validation that a domain's target service/port is listening

A domain can be mapped to a service/port where nothing listens (for example a container that only runs a process on a different port), and the vhost is generated and reloaded with no warning. The result is a silently dead route. A pre-save check (the target service+port accepts a connection) would catch this.

These are improvements / cleanups; #155 covers the two functional bugs (cross-deployment upstream collision, and the non-configurable server_names_hash_bucket_size).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions