From 903db4079d213f28b298c4318f4b1f8ed6b447fc Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 17 Apr 2026 15:51:51 -0700
Subject: [PATCH] Fix upstream keepalive: set proxy_ssl_name for correct SNI

With upstream blocks, nginx sends the block name as SNI instead of
the actual hostname. The Tailscale Ingress proxy needs the correct
SNI to route TLS connections. Add explicit proxy_ssl_name for each
upstream, and set Host header for docs/cv backends.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fly/nginx.conf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fly/nginx.conf b/fly/nginx.conf
index ca4eb11..5723722 100644
--- a/fly/nginx.conf
+++ b/fly/nginx.conf
@@ -93,6 +93,8 @@ http {
             proxy_pass https://docs_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name docs.tail8d86e.ts.net;
+            proxy_set_header Host docs.tail8d86e.ts.net;
             proxy_intercept_errors on;
 
             proxy_http_version 1.1;
@@ -135,6 +137,8 @@ http {
             proxy_pass https://cv_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name cv.tail8d86e.ts.net;
+            proxy_set_header Host cv.tail8d86e.ts.net;
             proxy_intercept_errors on;
 
             proxy_http_version 1.1;
@@ -208,6 +212,7 @@ http {
             proxy_pass https://forge_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name forge.tail8d86e.ts.net;
             proxy_intercept_errors on;
 
             proxy_set_header Host $host;
@@ -226,6 +231,7 @@ http {
             proxy_pass https://forge_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name forge.tail8d86e.ts.net;
 
             proxy_http_version 1.1;
             proxy_set_header Connection $connection_upgrade;
@@ -248,6 +254,7 @@ http {
             proxy_pass https://forge_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name forge.tail8d86e.ts.net;
 
             proxy_http_version 1.1;
             proxy_set_header Connection $connection_upgrade;
@@ -264,6 +271,7 @@ http {
             proxy_pass https://forge_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name forge.tail8d86e.ts.net;
             proxy_intercept_errors on;
 
             # NO proxy_cache — dynamic content with sessions