From aec06591d5c1c46cd70907cca3bfcf98b9a71b4d Mon Sep 17 00:00:00 2001
From: Stefan Hacker <duffy@debian-linux-terminal.local>
Date: Thu, 9 Apr 2026 16:18:12 +0200
Subject: [PATCH] Fix proxy: add buffers, timeouts, WebSocket map, logging, SSL
 passthrough

- Add proper proxy buffer sizes for large responses/headers
- Add connect/send/read timeouts
- Use connection_upgrade map for proper WebSocket handling
- Add access_log/error_log to dynamic server blocks
- Disable proxy_ssl_verify for HTTPS backend targets
- Add X-Forwarded-Host/Port headers
- Remove client_max_body_size limit

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/app.py | 76 ++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 56 insertions(+), 20 deletions(-)

diff --git a/app/app.py b/app/app.py
index 0613c06..d8cc399 100644
--- a/app/app.py
+++ b/app/app.py
@@ -39,10 +39,56 @@ def save_config(config):
         json.dump(config, f, indent=2)
 
 
+def _proxy_location_block(target_scheme, upstream_name):
+    """Generate proxy location block with all necessary directives."""
+    return f"""    location / {{
+        proxy_pass {target_scheme}://{upstream_name};
+
+        # Headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 120s;
+        proxy_read_timeout 120s;
+
+        # Buffers
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
+
+        # Don't limit upload size
+        client_max_body_size 0;
+
+        # Pass redirects through
+        proxy_redirect default;
+
+        # Disable SSL verification for HTTPS targets
+        proxy_ssl_verify off;
+    }}"""
+
+
 def generate_nginx_config(config):
     """Generate nginx upstream/server blocks from config."""
     lines = []
 
+    # Connection upgrade map for WebSocket support
+    lines.append("map $http_upgrade $connection_upgrade {")
+    lines.append("    default upgrade;")
+    lines.append("    '' close;")
+    lines.append("}")
+    lines.append("")
+
     for i, target in enumerate(config.get("targets", [])):
         name = target.get("name", f"target_{i}")
         target_host = target.get("target_host", "")
@@ -60,6 +106,8 @@ def generate_nginx_config(config):
         lines.append("}")
         lines.append("")
 
+        location_block = _proxy_location_block(target_scheme, upstream_name)
+
         # Domain-based routing
         if domains:
             for domain_entry in domains:
@@ -75,16 +123,10 @@ def generate_nginx_config(config):
                 lines.append("    ssl_certificate_key /certs/server.key;")
                 lines.append("    ssl_protocols TLSv1.2 TLSv1.3;")
                 lines.append("")
-                lines.append(f"    location / {{")
-                lines.append(f"        proxy_pass {target_scheme}://{upstream_name};")
-                lines.append("        proxy_set_header Host $host;")
-                lines.append("        proxy_set_header X-Real-IP $remote_addr;")
-                lines.append("        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")
-                lines.append("        proxy_set_header X-Forwarded-Proto $scheme;")
-                lines.append("        proxy_http_version 1.1;")
-                lines.append('        proxy_set_header Upgrade $http_upgrade;')
-                lines.append('        proxy_set_header Connection "upgrade";')
-                lines.append("    }")
+                lines.append(f"    access_log /var/log/nginx/access.log main;")
+                lines.append(f"    error_log /var/log/nginx/error.log warn;")
+                lines.append("")
+                lines.append(location_block)
                 lines.append("}")
                 lines.append("")
 
@@ -98,16 +140,10 @@ def generate_nginx_config(config):
             lines.append("    ssl_certificate_key /certs/server.key;")
             lines.append("    ssl_protocols TLSv1.2 TLSv1.3;")
             lines.append("")
-            lines.append(f"    location / {{")
-            lines.append(f"        proxy_pass {target_scheme}://{upstream_name};")
-            lines.append("        proxy_set_header Host $host;")
-            lines.append("        proxy_set_header X-Real-IP $remote_addr;")
-            lines.append("        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")
-            lines.append("        proxy_set_header X-Forwarded-Proto $scheme;")
-            lines.append("        proxy_http_version 1.1;")
-            lines.append('        proxy_set_header Upgrade $http_upgrade;')
-            lines.append('        proxy_set_header Connection "upgrade";')
-            lines.append("    }")
+            lines.append(f"    access_log /var/log/nginx/access.log main;")
+            lines.append(f"    error_log /var/log/nginx/error.log warn;")
+            lines.append("")
+            lines.append(location_block)
             lines.append("}")
             lines.append("")