Kong/nginx/CLB - closes connection with SSE Notification

Questions
1

I have two different Kubernetes cluster (EKS on AWS) with TEST/PROD environments. tomcat version, configuration of application and application version is the same on the both environments.

however on one TEST cluster I have in front of Classic Load Balancer because of Kong which is based on nginx and from some reason SSE notification are not working, it means that requesting for the specific URL closes connection because I am getting some headers like Connection: close and it’s not keeping alive like expected therefore I am not getting any sse notifications

on PROD Cluster (Application Load Balancer) everything works as expected, after requesting URL connection is keeping and notification are received. any ideas what’s wrong with that?

there is some configuration of nginx in kong

    location / {
        set $kong_proxy_mode             'http';

        proxy_http_version      1.1;
        proxy_buffering          off;
        proxy_request_buffering  off;
        proxy_cache off;
        chunked_transfer_encoding off;
        proxy_set_header Connection "Keep-Alive";
        proxy_set_header Proxy-Connection "Keep-Alive";
}
2

That’d suggest it’s something particular to classic load balancers, though I’m not familiar enough with AWS behavior to say what and didn’t see anything that looked relevant with a brief search.

Kong itself shouldn’t inject Connection: close unless you instruct it to with a plugin (normally Response Transformer). You could check to see if it’s adding that header by using kubectl port-forward to bypass the load balancer, but it shouldn’t. Connection is a hop-by-hop header regardless, so the header your client sees is wholly up to the ELB if the ELB is HTTP-aware–it may be that the ELB adds that header if it sees a Connection: close from upstream, but again, that’s beyond my knowledge of their behavior.

We do typically recommend using TLS or TCP load balancers in front of Kong if possible, though in some cases that’s not an option (usually if you need some other AWS integration that requires an HTTP load balancer, such as using their managed certificates). If you do need an HTTP load balancer in front, is there any reason not to use an ALB in test also?