Add separate SSE backend for secure Server-Sent Events support
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
Creates two backends per domain: 1. Regular backend - Uses http-server-close for better security and connection management (prevents connection exhaustion attacks) 2. SSE backend - Optimized for Server-Sent Events with: - no option http-server-close (allows long-lived connections) - option http-no-delay (immediate data transmission) - 6-hour timeouts (supports long streaming sessions) Frontend routing logic: - Detects SSE via Accept: text/event-stream header or ?action=stream param - Routes SSE traffic to SSE-optimized backend - Routes regular HTTP traffic to standard secure backend This approach provides full SSE support while maintaining security for regular HTTP traffic (preventing DDoS/connection flooding attacks). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -1,26 +1,6 @@
|
||||
|
||||
# Regular HTTP backend - uses http-server-close for better security and connection management
|
||||
backend {{ name }}-backend
|
||||
# Detect Server-Sent Events (SSE) connections
|
||||
# SSE uses Accept: text/event-stream or ?action=stream query parameter
|
||||
acl is_sse hdr(accept) -i -m sub text/event-stream
|
||||
acl is_sse_url urlp(action) -i -m str stream
|
||||
|
||||
# Disable http-server-close from defaults to allow SSE long-lived connections
|
||||
# Normal HTTP requests still work fine without this option
|
||||
no option http-server-close
|
||||
|
||||
# Enable http-no-delay for immediate data transmission (good for SSE and general performance)
|
||||
option http-no-delay
|
||||
|
||||
# Extended timeouts to support SSE long-lived connections (up to 6 hours)
|
||||
# These values also work fine for normal HTTP requests
|
||||
# Note: SSE sends keepalives every 1 second, so timeout only triggers if backend hangs
|
||||
timeout server 6h
|
||||
timeout http-keep-alive 6h
|
||||
|
||||
# Ensure keep-alive connection for SSE requests
|
||||
http-response set-header Connection keep-alive if is_sse or is_sse_url
|
||||
|
||||
option forwardfor
|
||||
# Pass the real client IP to backend (from proxy headers or direct connection)
|
||||
# This is crucial for container-level logging and security tools
|
||||
@@ -29,6 +9,29 @@ backend {{ name }}-backend
|
||||
http-request set-header X-Forwarded-For %[var(txn.real_ip)]
|
||||
{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
|
||||
|
||||
{% for server in servers %}
|
||||
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
||||
{% endfor %}
|
||||
|
||||
# SSE-specific backend - optimized for Server-Sent Events long-lived connections
|
||||
backend {{ name }}-sse-backend
|
||||
# Disable http-server-close to allow SSE long-lived connections
|
||||
no option http-server-close
|
||||
|
||||
# Enable http-no-delay for immediate data transmission
|
||||
option http-no-delay
|
||||
|
||||
# Extended timeouts to support SSE long-lived connections (up to 6 hours)
|
||||
# Note: SSE sends keepalives every 1 second, so timeout only triggers if backend hangs
|
||||
timeout server 6h
|
||||
timeout http-keep-alive 6h
|
||||
|
||||
option forwardfor
|
||||
# Pass the real client IP to backend (from proxy headers or direct connection)
|
||||
http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
|
||||
http-request set-header X-Real-IP %[var(txn.real_ip)]
|
||||
http-request set-header X-Forwarded-For %[var(txn.real_ip)]
|
||||
{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
|
||||
|
||||
{% for server in servers %}
|
||||
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
||||
|
||||
@@ -1,4 +1,13 @@
|
||||
|
||||
#Subdomain method {{ domain }}
|
||||
acl {{ domain }}-acl hdr(host) -i {{ domain }}
|
||||
use_backend {{ name }}-backend if {{ domain }}-acl
|
||||
acl {{ name }}-acl hdr(host) -i {{ domain }}
|
||||
|
||||
# Detect Server-Sent Events (SSE) connections for {{ domain }}
|
||||
# SSE uses Accept: text/event-stream or ?action=stream query parameter
|
||||
acl {{ name }}-is-sse hdr(accept) -i -m sub text/event-stream
|
||||
acl {{ name }}-is-sse-url urlp(action) -i -m str stream
|
||||
|
||||
# Route SSE traffic to SSE-optimized backend, regular traffic to standard backend
|
||||
use_backend {{ name }}-sse-backend if {{ name }}-acl {{ name }}-is-sse
|
||||
use_backend {{ name }}-sse-backend if {{ name }}-acl {{ name }}-is-sse-url
|
||||
use_backend {{ name }}-backend if {{ name }}-acl
|
||||
|
||||
Reference in New Issue
Block a user