nixos/nginx: clear clients Connection headers

2025-06-10 11:45:45 +03:00 · 2022-10-15 17:18:36 +02:00 · 2022-10-15 17:18:36 +02:00 · 2d3efd3301
commit 2d3efd3301
parent 5b6dcece88
3 changed files with 11 additions and 0 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@ -702,6 +702,13 @@
          <literal>hipcc</literal>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <literal>services.nginx.recommendedProxySettings</literal> now
+          removes the <literal>Connection</literal> header preventing
+          clients from closing backend connections.
+        </para>
+      </listitem>
      <listitem>
        <para>
          Resilio sync secret keys can now be provided using a secrets
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -176,6 +176,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - `hip` has been separated into `hip`, `hip-common` and `hipcc`.

+- `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections.
+
 - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

 - The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it.
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -211,6 +211,8 @@ let
        proxy_send_timeout      ${cfg.proxyTimeout};
        proxy_read_timeout      ${cfg.proxyTimeout};
        proxy_http_version      1.1;
+        # don't let clients close the keep-alive connection to upstream
+        proxy_set_header        "Connection" "";
        include ${recommendedProxyConfig};
      ''}