HAProxy community

HAProxy Server-Sent-Events timeout configuration

Can someone please clarify which timeouts have to be configured for Server-Sent-Events to work?

There is no explicit reference to SSE in the documentation and after implementing multiple recommendations, e.g., How can I configure HAProxy to work with server sent events? it appears that the settings timeout tunnel, server-fin, client-fin that people suggest have no impact whatsoever.

Timeout client and timeout server let SSE work when their value, e.g., 60 seconds, is higher than the heartbeat frequency, e.g., 45 seconds, at which the backend server produces a CommentEvent in case that no data exists to be sent to the client.

However, Server-Sent-Events won’t work if, e.g., I send ping events every 60 seconds, but the timeout client and timeout server are 45 seconds (regardless of the values of timeout tunnel, timeout server-fin, timeout client-fin).
I was expecting the timeout tunnel (or something similar) to work for SSE and bypass client and server timeout like it’s supposed to do for Websockets, but it looks like timeout client and timeout server are the only settings that work…

Is this the intended behaviour? What’s the recommended configuration if I want to have high event update intervals for Server-Sent-Events, e.g., send a ping event only every 5 minutes if no data is available, ideally whilst maintaining lower timeouts for everything else ?

I’ve pasted configuration below. The behaviour is exactly the same whether I use haproxy 1.9.8 or 2.0.2, HTTP/2 or not, etc.

Thanks in advance!

global
    daemon
    log stdout local0

    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
    ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
    ssl-default-server-ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-dh-param-file /etc/haproxy/dhparam.pem

defaults
    log global
    mode http

    option httplog
    option http-server-close
    option http-use-htx

    timeout connect 3s
    # Only when I increase these 2 from 5s to n minutes it works (but it affects other requests than SSE as the sse backend also handles POST/PUT/DELETE requests that have nothing to do with Server-Sent-Events and for which I'd like to maintain the lower 5 secs timeouts)
    timeout client 5s
    timeout server 5s
    # These below don't do anything for SSEs?
    timeout client-fin 10m
    timeout server-fin 10m
    timeout tunnel 10m


frontend https-in
    bind :443 ssl crt /somedir/server.pem alpn h2,http/1.1
    
    bind :80
    redirect scheme https if !{ ssl_fc }
    
    acl sse_url path /sse
    use_backend sse if sse_url

    default_backend otherstuff


backend otherstuff
    server other1 some-ip:3000 check ssl verify none

backend sse
    server sse1 some-ip:3001 check ssl verify none