From 2d3efd330141b14ff8ba6133768ea44b65d660dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sat, 15 Oct 2022 17:18:36 +0200
Subject: nixos/nginx: clear clients Connection headers

---
 nixos/doc/manual/from_md/release-notes/rl-2305.section.xml | 7 +++++++
 nixos/doc/manual/release-notes/rl-2305.section.md          | 2 ++
 nixos/modules/services/web-servers/nginx/default.nix       | 2 ++
 3 files changed, 11 insertions(+)

(limited to 'nixos')

diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
index 2ce4ce189cb4..87535cab12b3 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@@ -702,6 +702,13 @@
           <literal>hipcc</literal>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <literal>services.nginx.recommendedProxySettings</literal> now
+          removes the <literal>Connection</literal> header preventing
+          clients from closing backend connections.
+        </para>
+      </listitem>
       <listitem>
         <para>
           Resilio sync secret keys can now be provided using a secrets
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index 148b317ba283..16f2714267d3 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -176,6 +176,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - `hip` has been separated into `hip`, `hip-common` and `hipcc`.
 
+- `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections.
+
 - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
 
 - The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it.
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index c723b962c847..c0b90997ae9b 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -211,6 +211,8 @@ let
         proxy_send_timeout      ${cfg.proxyTimeout};
         proxy_read_timeout      ${cfg.proxyTimeout};
         proxy_http_version      1.1;
+        # don't let clients close the keep-alive connection to upstream
+        proxy_set_header        "Connection" "";
         include ${recommendedProxyConfig};
       ''}
 
-- 
cgit v1.2.3