From 6a42ac6413ebc41ac98a1deaf31e0a1232744a58 Mon Sep 17 00:00:00 2001 From: Nicholas Wehr Date: Mon, 19 Jan 2026 21:19:10 +0800 Subject: [PATCH 1/2] boost header buffer to allow for large cookie payloads --- custom-domain/dstack-ingress/scripts/entrypoint.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/custom-domain/dstack-ingress/scripts/entrypoint.sh b/custom-domain/dstack-ingress/scripts/entrypoint.sh index cc608c7..036531c 100644 --- a/custom-domain/dstack-ingress/scripts/entrypoint.sh +++ b/custom-domain/dstack-ingress/scripts/entrypoint.sh @@ -154,6 +154,11 @@ server { # SSL buffer size (optimized for TLS 1.3) ssl_buffer_size 4k; + # Boost allowed header size + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + # Disable SSL renegotiation ssl_early_data off; ${client_max_body_size_conf} From ca966b037c2d0c71cc5db62c902380b7aa2f952f Mon Sep 17 00:00:00 2001 From: Nicholas Wehr Date: Mon, 19 Jan 2026 21:45:05 +0800 Subject: [PATCH 2/2] reworked to match new buffer settings to existing configuration patterns --- custom-domain/dstack-ingress/README.md | 3 ++ .../dstack-ingress/scripts/entrypoint.sh | 32 ++++++++++++++++--- .../dstack-ingress/scripts/functions.sh | 29 +++++++++++++++++ 3 files changed, 59 insertions(+), 5 deletions(-) diff --git a/custom-domain/dstack-ingress/README.md b/custom-domain/dstack-ingress/README.md index 3b2c478..e9eae37 100644 --- a/custom-domain/dstack-ingress/README.md +++ b/custom-domain/dstack-ingress/README.md @@ -180,6 +180,9 @@ configs: - `PROXY_READ_TIMEOUT`: Optional value for nginx `proxy_read_timeout` (numeric with optional `s|m|h` suffix, e.g. `30s`) in single-domain mode - `PROXY_SEND_TIMEOUT`: Optional value for nginx `proxy_send_timeout` (numeric with optional `s|m|h` suffix, e.g. `30s`) in single-domain mode - `PROXY_CONNECT_TIMEOUT`: Optional value for nginx `proxy_connect_timeout` (numeric with optional `s|m|h` suffix, e.g. `10s`) in single-domain mode +- `PROXY_BUFFER_SIZE`: Optional value for nginx `proxy_buffer_size` (numeric with optional `k|m` suffix, e.g. `128k`) in single-domain mode +- `PROXY_BUFFERS`: Optional value for nginx `proxy_buffers` (format: `number size`, e.g. `4 256k`) in single-domain mode +- `PROXY_BUSY_BUFFERS_SIZE`: Optional value for nginx `proxy_busy_buffers_size` (numeric with optional `k|m` suffix, e.g. `256k`) in single-domain mode - `CERTBOT_STAGING`: Optional; set this value to the string `true` to set the `--staging` server option on the [`certbot` cli](https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options) **Backward Compatibility:** diff --git a/custom-domain/dstack-ingress/scripts/entrypoint.sh b/custom-domain/dstack-ingress/scripts/entrypoint.sh index 036531c..25eb559 100644 --- a/custom-domain/dstack-ingress/scripts/entrypoint.sh +++ b/custom-domain/dstack-ingress/scripts/entrypoint.sh @@ -28,6 +28,15 @@ fi if ! PROXY_CONNECT_TIMEOUT=$(sanitize_proxy_timeout "$PROXY_CONNECT_TIMEOUT"); then exit 1 fi +if ! PROXY_BUFFER_SIZE=$(sanitize_proxy_buffer_size "$PROXY_BUFFER_SIZE"); then + exit 1 +fi +if ! PROXY_BUFFERS=$(sanitize_proxy_buffers "$PROXY_BUFFERS"); then + exit 1 +fi +if ! PROXY_BUSY_BUFFERS_SIZE=$(sanitize_proxy_buffer_size "$PROXY_BUSY_BUFFERS_SIZE"); then + exit 1 +fi if ! TXT_PREFIX=$(sanitize_dns_label "$TXT_PREFIX"); then exit 1 fi @@ -117,6 +126,21 @@ setup_nginx_conf() { proxy_connect_timeout_conf=" ${PROXY_CMD}_connect_timeout ${PROXY_CONNECT_TIMEOUT};" fi + local proxy_buffer_size_conf="" + if [ -n "$PROXY_BUFFER_SIZE" ]; then + proxy_buffer_size_conf=" proxy_buffer_size ${PROXY_BUFFER_SIZE};" + fi + + local proxy_buffers_conf="" + if [ -n "$PROXY_BUFFERS" ]; then + proxy_buffers_conf=" proxy_buffers ${PROXY_BUFFERS};" + fi + + local proxy_busy_buffers_size_conf="" + if [ -n "$PROXY_BUSY_BUFFERS_SIZE" ]; then + proxy_busy_buffers_size_conf=" proxy_busy_buffers_size ${PROXY_BUSY_BUFFERS_SIZE};" + fi + cat </etc/nginx/conf.d/default.conf server { listen ${PORT} ssl; @@ -153,11 +177,9 @@ server { # SSL buffer size (optimized for TLS 1.3) ssl_buffer_size 4k; - - # Boost allowed header size - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; +${proxy_buffer_size_conf} +${proxy_buffers_conf} +${proxy_busy_buffers_size_conf} # Disable SSL renegotiation ssl_early_data off; diff --git a/custom-domain/dstack-ingress/scripts/functions.sh b/custom-domain/dstack-ingress/scripts/functions.sh index bf8b80c..1a5a75c 100644 --- a/custom-domain/dstack-ingress/scripts/functions.sh +++ b/custom-domain/dstack-ingress/scripts/functions.sh @@ -83,6 +83,35 @@ sanitize_proxy_timeout() { fi } +sanitize_proxy_buffer_size() { + local candidate="$1" + if [ -z "$candidate" ]; then + echo "" + return 0 + fi + if [[ "$candidate" =~ ^[0-9]+[kKmM]?$ ]]; then + echo "$candidate" + else + echo "Warning: Ignoring invalid proxy buffer size value: $candidate" >&2 + echo "" + fi +} + +sanitize_proxy_buffers() { + local candidate="$1" + if [ -z "$candidate" ]; then + echo "" + return 0 + fi + # Format: number size (e.g., "4 256k") + if [[ "$candidate" =~ ^[0-9]+[[:space:]]+[0-9]+[kKmM]?$ ]]; then + echo "$candidate" + else + echo "Warning: Ignoring invalid proxy buffers value: $candidate (expected format: 'number size', e.g., '4 256k')" >&2 + echo "" + fi +} + get_letsencrypt_account_path() { local base_path="/etc/letsencrypt/accounts" local api_endpoint="acme-v02.api.letsencrypt.org"