eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Switch Fly proxy to upstream keepalive pools #337

Merged
eblume merged 6 commits from fly-proxy-keepalive into main 2026-04-17 16:39:52 -07:00
Conversation 0 Commits 6 Files changed 12 +8
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 903db4079d - Show all commits

Fix upstream keepalive: set proxy_ssl_name for correct SNI

Prev Next 
With upstream blocks, nginx sends the block name as SNI instead of
the actual hostname. The Tailscale Ingress proxy needs the correct
SNI to route TLS connections. Add explicit proxy_ssl_name for each
upstream, and set Host header for docs/cv backends.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Erich Blume 2026-04-17 15:51:51 -07:00
commit 903db4079d

8
fly/nginx.conf
View file

@ -93,6 +93,8 @@ http {
proxy_pass https://docs_backend$request_uri; proxy_pass https://docs_backend$request_uri;
proxy_ssl_verify off; proxy_ssl_verify off;
proxy_ssl_server_name on; proxy_ssl_server_name on;
proxy_ssl_name docs.tail8d86e.ts.net;
proxy_set_header Host docs.tail8d86e.ts.net;
proxy_intercept_errors on; proxy_intercept_errors on;
proxy_http_version 1.1; proxy_http_version 1.1;
@ -135,6 +137,8 @@ http {
proxy_pass https://cv_backend$request_uri; proxy_pass https://cv_backend$request_uri;
proxy_ssl_verify off; proxy_ssl_verify off;
proxy_ssl_server_name on; proxy_ssl_server_name on;
proxy_ssl_name cv.tail8d86e.ts.net;
proxy_set_header Host cv.tail8d86e.ts.net;
proxy_intercept_errors on; proxy_intercept_errors on;
proxy_http_version 1.1; proxy_http_version 1.1;
@ -208,6 +212,7 @@ http {
proxy_pass https://forge_backend$request_uri; proxy_pass https://forge_backend$request_uri;
proxy_ssl_verify off; proxy_ssl_verify off;
proxy_ssl_server_name on; proxy_ssl_server_name on;
proxy_ssl_name forge.tail8d86e.ts.net;
proxy_intercept_errors on; proxy_intercept_errors on;
proxy_set_header Host $host; proxy_set_header Host $host;
@ -226,6 +231,7 @@ http {
proxy_pass https://forge_backend$request_uri; proxy_pass https://forge_backend$request_uri;
proxy_ssl_verify off; proxy_ssl_verify off;
proxy_ssl_server_name on; proxy_ssl_server_name on;
proxy_ssl_name forge.tail8d86e.ts.net;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
@ -248,6 +254,7 @@ http {
proxy_pass https://forge_backend$request_uri; proxy_pass https://forge_backend$request_uri;
proxy_ssl_verify off; proxy_ssl_verify off;
proxy_ssl_server_name on; proxy_ssl_server_name on;
proxy_ssl_name forge.tail8d86e.ts.net;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
@ -264,6 +271,7 @@ http {
proxy_pass https://forge_backend$request_uri; proxy_pass https://forge_backend$request_uri;
proxy_ssl_verify off; proxy_ssl_verify off;
proxy_ssl_server_name on; proxy_ssl_server_name on;
proxy_ssl_name forge.tail8d86e.ts.net;
proxy_intercept_errors on; proxy_intercept_errors on;
# NO proxy_cache dynamic content with sessions # NO proxy_cache dynamic content with sessions