From 6cd64295d2ec5190dd071fd3355a6d98d6a2cb84 Mon Sep 17 00:00:00 2001
From: Josh Knapp <jknapp85@gmail.com>
Date: Fri, 26 Dec 2025 13:48:24 -0800
Subject: [PATCH] Add separate SSE backend for secure Server-Sent Events
 support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Creates two backends per domain:
1. Regular backend - Uses http-server-close for better security and
   connection management (prevents connection exhaustion attacks)
2. SSE backend - Optimized for Server-Sent Events with:
   - no option http-server-close (allows long-lived connections)
   - option http-no-delay (immediate data transmission)
   - 6-hour timeouts (supports long streaming sessions)

Frontend routing logic:
- Detects SSE via Accept: text/event-stream header or ?action=stream param
- Routes SSE traffic to SSE-optimized backend
- Routes regular HTTP traffic to standard secure backend

This approach provides full SSE support while maintaining security for
regular HTTP traffic (preventing DDoS/connection flooding attacks).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 templates/hap_backend.tpl       | 45 ++++++++++++++++++---------------
 templates/hap_subdomain_acl.tpl | 15 ++++++++---
 2 files changed, 36 insertions(+), 24 deletions(-)

diff --git a/templates/hap_backend.tpl b/templates/hap_backend.tpl
index 1d8f2c4..b6c9153 100644
--- a/templates/hap_backend.tpl
+++ b/templates/hap_backend.tpl
@@ -1,26 +1,6 @@
 
+# Regular HTTP backend - uses http-server-close for better security and connection management
 backend {{ name }}-backend
-    # Detect Server-Sent Events (SSE) connections
-    # SSE uses Accept: text/event-stream or ?action=stream query parameter
-    acl is_sse hdr(accept) -i -m sub text/event-stream
-    acl is_sse_url urlp(action) -i -m str stream
-
-    # Disable http-server-close from defaults to allow SSE long-lived connections
-    # Normal HTTP requests still work fine without this option
-    no option http-server-close
-
-    # Enable http-no-delay for immediate data transmission (good for SSE and general performance)
-    option http-no-delay
-
-    # Extended timeouts to support SSE long-lived connections (up to 6 hours)
-    # These values also work fine for normal HTTP requests
-    # Note: SSE sends keepalives every 1 second, so timeout only triggers if backend hangs
-    timeout server 6h
-    timeout http-keep-alive 6h
-
-    # Ensure keep-alive connection for SSE requests
-    http-response set-header Connection keep-alive if is_sse or is_sse_url
-
     option forwardfor
     # Pass the real client IP to backend (from proxy headers or direct connection)
     # This is crucial for container-level logging and security tools
@@ -29,6 +9,29 @@ backend {{ name }}-backend
     http-request set-header X-Forwarded-For %[var(txn.real_ip)]
     {% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
 
+    {% for server in servers %}
+    server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
+    {% endfor %}
+
+# SSE-specific backend - optimized for Server-Sent Events long-lived connections
+backend {{ name }}-sse-backend
+    # Disable http-server-close to allow SSE long-lived connections
+    no option http-server-close
+
+    # Enable http-no-delay for immediate data transmission
+    option http-no-delay
+
+    # Extended timeouts to support SSE long-lived connections (up to 6 hours)
+    # Note: SSE sends keepalives every 1 second, so timeout only triggers if backend hangs
+    timeout server 6h
+    timeout http-keep-alive 6h
+
+    option forwardfor
+    # Pass the real client IP to backend (from proxy headers or direct connection)
+    http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
+    http-request set-header X-Real-IP %[var(txn.real_ip)]
+    http-request set-header X-Forwarded-For %[var(txn.real_ip)]
+    {% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
 
     {% for server in servers %}
     server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
diff --git a/templates/hap_subdomain_acl.tpl b/templates/hap_subdomain_acl.tpl
index 5e46d92..17fc8db 100644
--- a/templates/hap_subdomain_acl.tpl
+++ b/templates/hap_subdomain_acl.tpl
@@ -1,4 +1,13 @@
-    
+
     #Subdomain method {{ domain }}
-    acl {{ domain }}-acl hdr(host) -i {{ domain }}
-    use_backend {{ name }}-backend if {{ domain }}-acl
+    acl {{ name }}-acl hdr(host) -i {{ domain }}
+
+    # Detect Server-Sent Events (SSE) connections for {{ domain }}
+    # SSE uses Accept: text/event-stream or ?action=stream query parameter
+    acl {{ name }}-is-sse hdr(accept) -i -m sub text/event-stream
+    acl {{ name }}-is-sse-url urlp(action) -i -m str stream
+
+    # Route SSE traffic to SSE-optimized backend, regular traffic to standard backend
+    use_backend {{ name }}-sse-backend if {{ name }}-acl {{ name }}-is-sse
+    use_backend {{ name }}-sse-backend if {{ name }}-acl {{ name }}-is-sse-url
+    use_backend {{ name }}-backend if {{ name }}-acl