nginx: SSE-friendly proxy_pass + unconditional $connection_upgrade map

Two coupled changes that let every proxy_pass vhost serve both WS and SSE without per-vhost flags or template conditionals: 1) nginx.conf: $connection_upgrade map is now always defined (drop the % if has_websockets: gate), and the '' branch returns "" instead of "close". With "" + proxy_http_version 1.1, nginx maintains keep-alive to upstream for non-WS clients — which is what SSE requires. WS clients still get Connection: upgrade as before. 2) data/nginx/proxy_pass.conf: drop the % if websockets: conditional. Always set proxy_http_version 1.1 + Upgrade + Connection via the map, plus proxy_buffering off and proxy_read_timeout 1h for SSE. Effects on existing vhosts: - home.server's Proxmox WS vhost: unchanged behavior (the WS branch was already setting these headers). Gains the ability to also serve SSE if ever needed. - All other proxy_pass vhosts (Nextcloud, Freescout, YOURLS, Gitea, etc.): get keep-alive to upstream (minor latency win) and unbuffered pass-through (slight throughput cost on huge responses, neutral for typical web app traffic). Dead but harmless: bundles/nginx/metadata.py still defaults nginx/has_websockets to False, and proxmox-ve/grafana still set it to True. The flag is now a no-op; clean up in a separate pass.
2026-05-10 22:12:03 +02:00 · 2026-05-10 22:12:03 +02:00 · 524ad6e89b
commit 524ad6e89b
parent 99d68a5135
2 changed files with 14 additions and 7 deletions
--- a/bundles/nginx/files/nginx.conf
+++ b/bundles/nginx/files/nginx.conf
@ -32,12 +32,13 @@ http {

    % endif

-    % if has_websockets:
+    # Always defined: serves both WS-enabled vhosts (Connection: upgrade for
+    # ws clients) and SSE/keep-alive vhosts (Connection: "" lets nginx manage
+    # the upstream connection for keep-alive, instead of forcing "close").
    map $http_upgrade $connection_upgrade {
        default upgrade;
-        '' close;
+        '' '';
    }
-    % endif

    include /etc/nginx/sites-enabled/*;
 }
--- a/data/nginx/proxy_pass.conf
+++ b/data/nginx/proxy_pass.conf
@ -8,10 +8,16 @@ server {

    location / {
        proxy_set_header   X-Real-IP          $remote_addr;
-% if websockets:
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-% endif
+        # Always set Upgrade + Connection via the $connection_upgrade map:
+        #   WS client (Upgrade header sent)  -> Connection: upgrade
+        #   non-WS client (no Upgrade)       -> Connection: "" (keep-alive)
+        # Lets every vhost serve both WS and SSE without per-vhost flags.
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade            $http_upgrade;
+        proxy_set_header   Connection         $connection_upgrade;
+        # SSE-safe pass-through (also fine for non-SSE traffic):
+        proxy_buffering    off;
+        proxy_read_timeout 1h;
        proxy_pass ${target};
    }
 }