Add separate SSE backend for secure Server-Sent Events support
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
Creates two backends per domain: 1. Regular backend - Uses http-server-close for better security and connection management (prevents connection exhaustion attacks) 2. SSE backend - Optimized for Server-Sent Events with: - no option http-server-close (allows long-lived connections) - option http-no-delay (immediate data transmission) - 6-hour timeouts (supports long streaming sessions) Frontend routing logic: - Detects SSE via Accept: text/event-stream header or ?action=stream param - Routes SSE traffic to SSE-optimized backend - Routes regular HTTP traffic to standard secure backend This approach provides full SSE support while maintaining security for regular HTTP traffic (preventing DDoS/connection flooding attacks). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -1,26 +1,6 @@
|
|||||||
|
|
||||||
|
# Regular HTTP backend - uses http-server-close for better security and connection management
|
||||||
backend {{ name }}-backend
|
backend {{ name }}-backend
|
||||||
# Detect Server-Sent Events (SSE) connections
|
|
||||||
# SSE uses Accept: text/event-stream or ?action=stream query parameter
|
|
||||||
acl is_sse hdr(accept) -i -m sub text/event-stream
|
|
||||||
acl is_sse_url urlp(action) -i -m str stream
|
|
||||||
|
|
||||||
# Disable http-server-close from defaults to allow SSE long-lived connections
|
|
||||||
# Normal HTTP requests still work fine without this option
|
|
||||||
no option http-server-close
|
|
||||||
|
|
||||||
# Enable http-no-delay for immediate data transmission (good for SSE and general performance)
|
|
||||||
option http-no-delay
|
|
||||||
|
|
||||||
# Extended timeouts to support SSE long-lived connections (up to 6 hours)
|
|
||||||
# These values also work fine for normal HTTP requests
|
|
||||||
# Note: SSE sends keepalives every 1 second, so timeout only triggers if backend hangs
|
|
||||||
timeout server 6h
|
|
||||||
timeout http-keep-alive 6h
|
|
||||||
|
|
||||||
# Ensure keep-alive connection for SSE requests
|
|
||||||
http-response set-header Connection keep-alive if is_sse or is_sse_url
|
|
||||||
|
|
||||||
option forwardfor
|
option forwardfor
|
||||||
# Pass the real client IP to backend (from proxy headers or direct connection)
|
# Pass the real client IP to backend (from proxy headers or direct connection)
|
||||||
# This is crucial for container-level logging and security tools
|
# This is crucial for container-level logging and security tools
|
||||||
@@ -29,6 +9,29 @@ backend {{ name }}-backend
|
|||||||
http-request set-header X-Forwarded-For %[var(txn.real_ip)]
|
http-request set-header X-Forwarded-For %[var(txn.real_ip)]
|
||||||
{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
|
{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
|
||||||
|
|
||||||
|
{% for server in servers %}
|
||||||
|
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
# SSE-specific backend - optimized for Server-Sent Events long-lived connections
|
||||||
|
backend {{ name }}-sse-backend
|
||||||
|
# Disable http-server-close to allow SSE long-lived connections
|
||||||
|
no option http-server-close
|
||||||
|
|
||||||
|
# Enable http-no-delay for immediate data transmission
|
||||||
|
option http-no-delay
|
||||||
|
|
||||||
|
# Extended timeouts to support SSE long-lived connections (up to 6 hours)
|
||||||
|
# Note: SSE sends keepalives every 1 second, so timeout only triggers if backend hangs
|
||||||
|
timeout server 6h
|
||||||
|
timeout http-keep-alive 6h
|
||||||
|
|
||||||
|
option forwardfor
|
||||||
|
# Pass the real client IP to backend (from proxy headers or direct connection)
|
||||||
|
http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
|
||||||
|
http-request set-header X-Real-IP %[var(txn.real_ip)]
|
||||||
|
http-request set-header X-Forwarded-For %[var(txn.real_ip)]
|
||||||
|
{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
|
||||||
|
|
||||||
{% for server in servers %}
|
{% for server in servers %}
|
||||||
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
||||||
|
|||||||
@@ -1,4 +1,13 @@
|
|||||||
|
|
||||||
#Subdomain method {{ domain }}
|
#Subdomain method {{ domain }}
|
||||||
acl {{ domain }}-acl hdr(host) -i {{ domain }}
|
acl {{ name }}-acl hdr(host) -i {{ domain }}
|
||||||
use_backend {{ name }}-backend if {{ domain }}-acl
|
|
||||||
|
# Detect Server-Sent Events (SSE) connections for {{ domain }}
|
||||||
|
# SSE uses Accept: text/event-stream or ?action=stream query parameter
|
||||||
|
acl {{ name }}-is-sse hdr(accept) -i -m sub text/event-stream
|
||||||
|
acl {{ name }}-is-sse-url urlp(action) -i -m str stream
|
||||||
|
|
||||||
|
# Route SSE traffic to SSE-optimized backend, regular traffic to standard backend
|
||||||
|
use_backend {{ name }}-sse-backend if {{ name }}-acl {{ name }}-is-sse
|
||||||
|
use_backend {{ name }}-sse-backend if {{ name }}-acl {{ name }}-is-sse-url
|
||||||
|
use_backend {{ name }}-backend if {{ name }}-acl
|
||||||
|
|||||||
Reference in New Issue
Block a user