From 532285e48c70b965b8fade6fd274da90098f6561 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 26 Apr 2026 12:32:05 +0000
Subject: [PATCH] traefik: raise websecure idleTimeout 180s -> 600s for iOS
 Immich -1005

iOS NSURLSession held a dead TCP/TLS socket past Traefik's 180s idle close,
then errored with NSURLErrorDomain -1005 on the next thumbnail. Bumping the
timeout to 600s pushes the bug to "app idle for >10 min" -- much rarer in
normal use. Verified with /home/wizard/.claude/immich-scroll-sim.py
keepalive probe: 200s idle, mean reuse latency +1.8ms over warmup (was ~50ms
TLS handshake penalty before). Synthesis: ~/.claude/immich-debug/synthesis.md.
---
 stacks/traefik/modules/traefik/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf
index 788b1678..14d0e907 100644
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@@ -200,7 +200,7 @@ resource "helm_release" "traefik" {
       # Explicit entrypoint timeouts to bound tail latency from slow clients
       "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=60s",
       "--entryPoints.websecure.transport.respondingTimeouts.writeTimeout=60s",
-      "--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=180s",
+      "--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=600s",
       # Use forwarded headers from trusted proxies
       "--entryPoints.websecure.forwardedHeaders.insecure=false",
       "--entryPoints.web.forwardedHeaders.insecure=false",