Commit f49e0c9b authored by Matthew Holt's avatar Matthew Holt

httpserver: Disable default timeouts (closes #1464)

Timeouts are important for mitigating slowloris, yes. But after a number
of complaints and seeing that default timeouts are a sore point of
confusion, we're disabling them now. However, the code that sets
default timeouts remains intact; the defaults are just the zero value.

While Caddy aims to be secure by default, Caddy also aims to serve a
worldwide audience. Even my own internet here in Utah is poor at times,
with bad WiFi signal, causing some connections to take over 10s to
be established. Many use the Internet while commuting on slower
connection speeds. Latency across country borders is another concern.

As such, disabling default timeouts will serve a greater population of
users than enabling them, as slowloris is easy to mitigate and does
not seem to be reported often (I've only seen it once). It's also very
difficult sometimes to distinguish slowloris from genuine slow networks.
That decision is best left to the site owner for now.
parent ccdc2863
...@@ -437,15 +437,9 @@ func (s *Server) OnStartupComplete() { ...@@ -437,15 +437,9 @@ func (s *Server) OnStartupComplete() {
} }
// defaultTimeouts stores the default timeout values to use // defaultTimeouts stores the default timeout values to use
// if left unset by user configuration. Default timeouts, // if left unset by user configuration. NOTE: Default timeouts
// especially for ReadTimeout, are important for mitigating // are disabled (see issue #1464).
// slowloris attacks. var defaultTimeouts Timeouts
var defaultTimeouts = Timeouts{
ReadTimeout: 10 * time.Second,
ReadHeaderTimeout: 10 * time.Second,
WriteTimeout: 20 * time.Second,
IdleTimeout: 2 * time.Minute,
}
// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted // tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
// connections. It's used by ListenAndServe and ListenAndServeTLS so // connections. It's used by ListenAndServe and ListenAndServeTLS so
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment