Implemented advanced proxy configuration

Author: krizcold

README.md

@@ -42,6 +42,17 @@ environment:
   ALLOW_HASH_CONTENT_PATHS: "true"       # Optional: Allow /[40-hex-char]/* paths without auth (for Stremio, etc.)
 ```
 
+**Proxy Behavior (Advanced):**
+```yaml
+  # These have sensible defaults - only override if needed
+  PROXY_BUFFERING: "off"                 # Default: off. Use "on" for caching/rate-limiting support
+  PROXY_REQUEST_BUFFERING: "off"         # Default: off. Use "on" if backend needs full body before processing
+  PROXY_CONNECT_TIMEOUT: "300s"          # Default: 300s. Time to establish backend connection
+  PROXY_SEND_TIMEOUT: "300s"             # Default: 300s. Timeout between write operations to backend
+  PROXY_READ_TIMEOUT: "300s"             # Default: 300s. Timeout between read operations from backend
+  CLIENT_MAX_BODY_SIZE: "0"              # Default: 0 (unlimited). Use "10G" or "100M" to limit uploads
+```
+
 ## Authentication Modes
 
 The system automatically selects the authentication mode based on which environment variables are configured:
@@ -483,6 +494,73 @@ The `ALLOW_HASH_CONTENT_PATHS` feature is useful for:
 - Applications where the content hash acts as an access token
 - Stremio and similar streaming applications
 
+### Supported Features
+
+| Feature | Status | Notes |
+|---------|--------|-------|
+| Standard HTTP/1.1 apps | ✅ | Fully supported |
+| WebSocket connections | ✅ | Automatic detection and upgrade |
+| Video/audio streaming | ✅ | Buffering disabled by default |
+| Large file uploads | ✅ | Unlimited by default |
+| Server-Sent Events (SSE) | ✅ | Proper headers configured |
+| Long-polling requests | ✅ | 5-minute timeouts |
+| REST APIs | ✅ | All methods supported |
+
+### Known Limitations
+
+| Feature | Status | Reason |
+|---------|--------|--------|
+| gRPC | ❌ | Requires `grpc_pass` directive and HTTP/2 - fundamentally different from HTTP proxying |
+| HTTP/2 to backend | ❌ | Uses HTTP/1.1 for backend connections (sufficient for 99% of apps) |
+| Headers with underscores | ⚠️ | Ignored by default (nginx default behavior) |
+
+**Note on gRPC:** Applications using gRPC (some CI/CD tools, Kubernetes services) cannot be proxied through NGINX Hash Lock. gRPC requires a completely different nginx configuration using `grpc_pass` instead of `proxy_pass`.
+
+## Proxy Behavior Configuration
+
+NGINX Hash Lock is designed to work with **any application** out of the box. The defaults prioritize compatibility over performance.
+
+### Environment Variables Reference
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `PROXY_BUFFERING` | `off` | Response buffering. `off` = streaming-friendly, `on` = better for caching |
+| `PROXY_REQUEST_BUFFERING` | `off` | Request buffering. `off` = large uploads work, `on` = backend gets full body first |
+| `PROXY_CONNECT_TIMEOUT` | `300s` | Time allowed to establish connection with backend |
+| `PROXY_SEND_TIMEOUT` | `300s` | Timeout between successive write operations to backend |
+| `PROXY_READ_TIMEOUT` | `300s` | Timeout between successive read operations from backend |
+| `CLIENT_MAX_BODY_SIZE` | `0` | Maximum upload size. `0` = unlimited, or use `10G`, `100M`, etc. |
+
+### When to Override Defaults
+
+**Most apps need no configuration** - the defaults handle:
+- Video/audio streaming (Stremio, Jellyfin, Plex)
+- Large file uploads (ConvertX, file managers)
+- WebSocket connections (terminals, real-time apps)
+- Server-Sent Events (SSE)
+- Long-polling requests
+
+**Override only if:**
+
+| Scenario | Setting |
+|----------|---------|
+| Need nginx-level caching | `PROXY_BUFFERING=on` |
+| Need nginx rate-limiting | `PROXY_BUFFERING=on` |
+| Backend requires full request before processing | `PROXY_REQUEST_BUFFERING=on` |
+| Want to limit upload sizes | `CLIENT_MAX_BODY_SIZE=10G` |
+| Very long operations (>5 min) | `PROXY_READ_TIMEOUT=3600s` |
+
+### What's Fixed Automatically
+
+These issues are handled without configuration:
+
+| Feature | Implementation |
+|---------|----------------|
+| WebSocket support | Correct `Connection` header via nginx `map` directive |
+| Forwarded headers | `X-Forwarded-Proto`, `X-Forwarded-Host`, `X-Forwarded-Port` |
+| SSE support | `X-Accel-Buffering: no` header |
+| Backend redirects | Proper redirect rewriting |
+
 ## Building & Publishing
 
 The Docker image is automatically built and published to GitHub Container Registry via GitHub Actions on every push to `main`.

entrypoint.sh

@@ -36,6 +36,32 @@ sed -i "s/BACKEND_HOST_PLACEHOLDER/$BACKEND_HOST/g" /etc/nginx/nginx.conf
 sed -i "s/BACKEND_PORT_PLACEHOLDER/$BACKEND_PORT/g" /etc/nginx/nginx.conf
 sed -i "s/LISTEN_PORT_PLACEHOLDER/$LISTEN_PORT/g" /etc/nginx/nginx.conf
 
+# These defaults prioritize compatibility over performance
+PROXY_BUFFERING="${PROXY_BUFFERING:-off}"
+PROXY_REQUEST_BUFFERING="${PROXY_REQUEST_BUFFERING:-off}"
+PROXY_CONNECT_TIMEOUT="${PROXY_CONNECT_TIMEOUT:-300s}"
+PROXY_SEND_TIMEOUT="${PROXY_SEND_TIMEOUT:-300s}"
+PROXY_READ_TIMEOUT="${PROXY_READ_TIMEOUT:-300s}"
+CLIENT_MAX_BODY_SIZE="${CLIENT_MAX_BODY_SIZE:-0}"
+
+echo "========================================="
+echo "Proxy Configuration:"
+echo "  PROXY_BUFFERING: $PROXY_BUFFERING"
+echo "  PROXY_REQUEST_BUFFERING: $PROXY_REQUEST_BUFFERING"
+echo "  PROXY_CONNECT_TIMEOUT: $PROXY_CONNECT_TIMEOUT"
+echo "  PROXY_SEND_TIMEOUT: $PROXY_SEND_TIMEOUT"
+echo "  PROXY_READ_TIMEOUT: $PROXY_READ_TIMEOUT"
+echo "  CLIENT_MAX_BODY_SIZE: $CLIENT_MAX_BODY_SIZE"
+echo "========================================="
+
+# Replace proxy behavior placeholders
+sed -i "s/PROXY_BUFFERING_PLACEHOLDER/$PROXY_BUFFERING/g" /etc/nginx/nginx.conf
+sed -i "s/PROXY_REQUEST_BUFFERING_PLACEHOLDER/$PROXY_REQUEST_BUFFERING/g" /etc/nginx/nginx.conf
+sed -i "s/PROXY_CONNECT_TIMEOUT_PLACEHOLDER/$PROXY_CONNECT_TIMEOUT/g" /etc/nginx/nginx.conf
+sed -i "s/PROXY_SEND_TIMEOUT_PLACEHOLDER/$PROXY_SEND_TIMEOUT/g" /etc/nginx/nginx.conf
+sed -i "s/PROXY_READ_TIMEOUT_PLACEHOLDER/$PROXY_READ_TIMEOUT/g" /etc/nginx/nginx.conf
+sed -i "s/CLIENT_MAX_BODY_SIZE_PLACEHOLDER/$CLIENT_MAX_BODY_SIZE/g" /etc/nginx/nginx.conf
+
 # Determine authentication mode
 AUTH_MODE="none"
 if [ -n "$AUTH_HASH" ] && [ -n "$USER" ] && [ -n "$PASSWORD" ]; then
@@ -207,11 +233,18 @@ if [ "$ALLOW_HASH_CONTENT_PATHS" = "true" ] || [ "$ALLOW_HASH_CONTENT_PATHS" = "
             set \$backend_upstream "$BACKEND_HOST:$BACKEND_PORT";
             proxy_pass http://\$backend_upstream;
             proxy_http_version 1.1;
+
+            # === Standard proxy headers ===
             proxy_set_header Host \$host;
             proxy_set_header X-Real-IP \$remote_addr;
             proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto \$scheme;
+            proxy_set_header X-Forwarded-Host \$host;
+            proxy_set_header X-Forwarded-Port \$server_port;
+
+            # === WebSocket support (uses map for correct behavior) ===
             proxy_set_header Upgrade \$http_upgrade;
-            proxy_set_header Connection "upgrade";
+            proxy_set_header Connection \$connection_upgrade;
         }
 EOF
 

nginx.conf

@@ -14,13 +14,22 @@ http {
     tcp_nodelay on;
     keepalive_timeout 65;
 
+    # Automatically sets Connection header based on whether it's a WebSocket request
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
     # Trust proxy headers for proper redirects
     map $http_x_forwarded_proto $redirect_scheme {
         default $scheme;
         https https;
         http http;
     }
 
+    # === Client body size (for file uploads) ===
+    client_max_body_size CLIENT_MAX_BODY_SIZE_PLACEHOLDER;
+
     # Use container cache directories
     client_body_temp_path /var/cache/nginx/client_temp;
     proxy_temp_path /var/cache/nginx/proxy_temp;
@@ -38,6 +47,23 @@ http {
         # Force relative redirects (don't include scheme/host/port)
         absolute_redirect off;
 
+        # === Proxy buffering (configurable for streaming vs caching) ===
+        proxy_buffering PROXY_BUFFERING_PLACEHOLDER;
+        proxy_request_buffering PROXY_REQUEST_BUFFERING_PLACEHOLDER;
+
+        # === Extended timeouts for streaming/WebSocket/long-polling ===
+        proxy_connect_timeout PROXY_CONNECT_TIMEOUT_PLACEHOLDER;
+        proxy_send_timeout PROXY_SEND_TIMEOUT_PLACEHOLDER;
+        proxy_read_timeout PROXY_READ_TIMEOUT_PLACEHOLDER;
+
+        # === Buffer sizes (used when buffering is enabled) ===
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
+
+        # === SSE/EventSource support ===
+        proxy_set_header X-Accel-Buffering no;
+
         # Custom error pages
         error_page 403 /403.html;
         location = /403.html {
@@ -88,23 +114,37 @@ http {
             set $backend_upstream "BACKEND_HOST_PLACEHOLDER:BACKEND_PORT_PLACEHOLDER";
             proxy_pass http://$backend_upstream;
             proxy_http_version 1.1;
+
+            # === Standard proxy headers ===
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header X-Forwarded-Port $server_port;
+
+            # === WebSocket support (uses map for correct behavior) ===
             proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
+            proxy_set_header Connection $connection_upgrade;
         }
 
         # Allow specific file extensions if configured (optional static assets)
         location ~* \.(ALLOWED_EXTENSIONS_PLACEHOLDER)$ {
             set $backend_upstream "BACKEND_HOST_PLACEHOLDER:BACKEND_PORT_PLACEHOLDER";
             proxy_pass http://$backend_upstream;
             proxy_http_version 1.1;
+
+            # === Standard proxy headers ===
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header X-Forwarded-Port $server_port;
+
+            # === WebSocket support (uses map for correct behavior) ===
             proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
+            proxy_set_header Connection $connection_upgrade;
         }
 
         # Main location - authentication logic will be inserted here
@@ -113,12 +153,24 @@ AUTH_CHECK_BLOCK_PLACEHOLDER
             set $backend_upstream "BACKEND_HOST_PLACEHOLDER:BACKEND_PORT_PLACEHOLDER";
             proxy_pass http://$backend_upstream;
             proxy_http_version 1.1;
+
+            # === Standard proxy headers ===
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header X-Forwarded-Port $server_port;
+
+            # === WebSocket support (uses map for correct behavior) ===
             proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
+            proxy_set_header Connection $connection_upgrade;
+
             proxy_set_header Cookie $http_cookie;
+
+            # === Handle redirects from backend ===
+            proxy_redirect http://$backend_upstream/ /;
+            proxy_redirect https://$backend_upstream/ /;
         }
     }
 }