From 197c564f2032becba14aeec0152fe5eeb639d6c1 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Tue, 19 Nov 2024 11:24:12 -0700
Subject: [PATCH] caddyhttp: Set default ReadHeaderTimeout (1 min)

Ref. #6663
---
 modules/caddyhttp/app.go    | 22 +++++++++++++++++-----
 modules/caddyhttp/server.go |  1 +
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
index 2d221265..850d3aa8 100644
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@@ -401,6 +401,9 @@ func (app *App) Provision(ctx caddy.Context) error {
 		if srv.IdleTimeout == 0 {
 			srv.IdleTimeout = defaultIdleTimeout
 		}
+		if srv.ReadHeaderTimeout == 0 {
+			srv.ReadHeaderTimeout = defaultReadHeaderTimeout // see #6663
+		}
 	}
 	ctx.Context = oldContext
 	return nil
@@ -770,11 +773,20 @@ func (app *App) httpsPort() int {
 	return app.HTTPSPort
 }
 
-// defaultIdleTimeout is the default HTTP server timeout
-// for closing idle connections; useful to avoid resource
-// exhaustion behind hungry CDNs, for example (we've had
-// several complaints without this).
-const defaultIdleTimeout = caddy.Duration(5 * time.Minute)
+const (
+	// defaultIdleTimeout is the default HTTP server timeout
+	// for closing idle connections; useful to avoid resource
+	// exhaustion behind hungry CDNs, for example (we've had
+	// several complaints without this).
+	defaultIdleTimeout = caddy.Duration(5 * time.Minute)
+
+	// defaultReadHeaderTimeout is the default timeout for
+	// reading HTTP headers from clients. Headers are generally
+	// small, often less than 1 KB, so it shouldn't take a
+	// long time even on legitimately slow connections or
+	// busy servers to read it.
+	defaultReadHeaderTimeout = caddy.Duration(time.Minute)
+)
 
 // Interface guards
 var (
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go
index 24fecfd8..12c032de 100644
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@@ -61,6 +61,7 @@ type Server struct {
 	ReadTimeout caddy.Duration `json:"read_timeout,omitempty"`
 
 	// ReadHeaderTimeout is like ReadTimeout but for request headers.
+	// Default is 1 minute.
 	ReadHeaderTimeout caddy.Duration `json:"read_header_timeout,omitempty"`
 
 	// WriteTimeout is how long to allow a write to a client. Note