From 524ad6e89beb92634e551499b19f3a059ab04bb3 Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Sun, 10 May 2026 22:12:03 +0200
Subject: [PATCH] nginx: SSE-friendly proxy_pass + unconditional
 $connection_upgrade map
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two coupled changes that let every proxy_pass vhost serve both WS and
SSE without per-vhost flags or template conditionals:

1) nginx.conf: $connection_upgrade map is now always defined (drop
   the % if has_websockets: gate), and the '' branch returns "" instead
   of "close". With "" + proxy_http_version 1.1, nginx maintains
   keep-alive to upstream for non-WS clients — which is what SSE
   requires. WS clients still get Connection: upgrade as before.

2) data/nginx/proxy_pass.conf: drop the % if websockets: conditional.
   Always set proxy_http_version 1.1 + Upgrade + Connection via the
   map, plus proxy_buffering off and proxy_read_timeout 1h for SSE.

Effects on existing vhosts:
- home.server's Proxmox WS vhost: unchanged behavior (the WS branch
  was already setting these headers). Gains the ability to also
  serve SSE if ever needed.
- All other proxy_pass vhosts (Nextcloud, Freescout, YOURLS, Gitea,
  etc.): get keep-alive to upstream (minor latency win) and unbuffered
  pass-through (slight throughput cost on huge responses, neutral
  for typical web app traffic).

Dead but harmless: bundles/nginx/metadata.py still defaults
nginx/has_websockets to False, and proxmox-ve/grafana still set it
to True. The flag is now a no-op; clean up in a separate pass.
---
 bundles/nginx/files/nginx.conf |  7 ++++---
 data/nginx/proxy_pass.conf     | 14 ++++++++++----
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf
index ef45635..4c6253e 100644
--- a/bundles/nginx/files/nginx.conf
+++ b/bundles/nginx/files/nginx.conf
@@ -32,12 +32,13 @@ http {
 
     % endif
 
-    % if has_websockets:
+    # Always defined: serves both WS-enabled vhosts (Connection: upgrade for
+    # ws clients) and SSE/keep-alive vhosts (Connection: "" lets nginx manage
+    # the upstream connection for keep-alive, instead of forcing "close").
     map $http_upgrade $connection_upgrade {
         default upgrade;
-        '' close;
+        '' '';
     }
-    % endif
 
     include /etc/nginx/sites-enabled/*;
 }
diff --git a/data/nginx/proxy_pass.conf b/data/nginx/proxy_pass.conf
index d682396..b30c81f 100644
--- a/data/nginx/proxy_pass.conf
+++ b/data/nginx/proxy_pass.conf
@@ -8,10 +8,16 @@ server {
 
     location / {
         proxy_set_header   X-Real-IP          $remote_addr;
-% if websockets:
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-% endif
+        # Always set Upgrade + Connection via the $connection_upgrade map:
+        #   WS client (Upgrade header sent)  -> Connection: upgrade
+        #   non-WS client (no Upgrade)       -> Connection: "" (keep-alive)
+        # Lets every vhost serve both WS and SSE without per-vhost flags.
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade            $http_upgrade;
+        proxy_set_header   Connection         $connection_upgrade;
+        # SSE-safe pass-through (also fine for non-SSE traffic):
+        proxy_buffering    off;
+        proxy_read_timeout 1h;
         proxy_pass ${target};
     }
 }