summaryrefslogtreecommitdiffstats
path: root/nixos
diff options
context:
space:
mode:
authorSandro Jäckel <sandro.jaeckel@gmail.com>2022-10-15 17:18:36 +0200
committerSandro Jäckel <sandro.jaeckel@gmail.com>2023-01-30 20:25:22 +0100
commit2d3efd330141b14ff8ba6133768ea44b65d660dd (patch)
treea8d887ff7f3895067bb6e0e186c1104ae1525d4a /nixos
parent5b6dcece880b1fe45532b383e1c1f9574ddac4cf (diff)
nixos/nginx: clear clients Connection headers
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/from_md/release-notes/rl-2305.section.xml7
-rw-r--r--nixos/doc/manual/release-notes/rl-2305.section.md2
-rw-r--r--nixos/modules/services/web-servers/nginx/default.nix2
3 files changed, 11 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
index 2ce4ce189cb4..87535cab12b3 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@@ -704,6 +704,13 @@
</listitem>
<listitem>
<para>
+ <literal>services.nginx.recommendedProxySettings</literal> now
+ removes the <literal>Connection</literal> header preventing
+ clients from closing backend connections.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
Resilio sync secret keys can now be provided using a secrets
file at runtime, preventing these secrets from ending up in
the Nix store.
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index 148b317ba283..16f2714267d3 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -176,6 +176,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `hip` has been separated into `hip`, `hip-common` and `hipcc`.
+- `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections.
+
- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
- The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it.
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index c723b962c847..c0b90997ae9b 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -211,6 +211,8 @@ let
proxy_send_timeout ${cfg.proxyTimeout};
proxy_read_timeout ${cfg.proxyTimeout};
proxy_http_version 1.1;
+ # don't let clients close the keep-alive connection to upstream
+ proxy_set_header "Connection" "";
include ${recommendedProxyConfig};
''}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-14 01:18:15 +0000