caddy: Default timeouts are quite low.

(0.9.5) I’ve been using Caddy as a reverse proxy to provide tls, logging, and gzip to back-end services. I was seeing seemingly random file upload failures with code 502 and an error message client disconnected in the log. Eventually I figured out that the requests were timing out.

I think the solution is to have either higher timeout values by default or an explicit log message when a timeout occurs.

Thanks, JohnnyLee

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 16 (6 by maintainers)

Commits related to this issue

Enable timeouts in the http.Server A [piece by Bojan Živanović][1] showed up on my reading list yesterday, which covered four points of a production-ready http.Server: - Timeouts - Systemd socket act... — committed to AluisioASG/snowweb by AluisioASG 3 years ago

Most upvoted comments

The default timeouts are set at what they are because, in my local testing with a slowloris tool, they were the values that mitigated the effects of the attacks the best. Raising them will make servers more vulnerable to resource depletion (depending on exact system configuration and specs).

I hope that people are reading the release notes before they upgrade.

Timeout events should be logged, as @tobya mentioned. I see log messages mentioning “timeout”.

And like I’ve said before, this seems to be frustrating to a number of people, but I don’t know what’s worse: being frustrated because it’s secure by default or being frustrated because your server is attacked with slowloris. I’m not sure that slowloris attacks are common, though, so I’m not sure what to do. Secure by default is kind of the Caddy philosophy…

mholt on Feb 20, 2017

@pwaller Oops, they’re linked over in https://github.com/mholt/caddy/issues/1422 - I refer to https://github.com/golang/go/issues/18437 and also https://github.com/golang/go/issues/16100.

mholt on Feb 22, 2017