From f49e0c9b560ea7efc25c0b15d422b59f42a6edb1 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Wed, 22 Feb 2017 08:52:08 -0700 Subject: [PATCH] httpserver: Disable default timeouts (closes #1464) Timeouts are important for mitigating slowloris, yes. But after a number of complaints and seeing that default timeouts are a sore point of confusion, we're disabling them now. However, the code that sets default timeouts remains intact; the defaults are just the zero value. While Caddy aims to be secure by default, Caddy also aims to serve a worldwide audience. Even my own internet here in Utah is poor at times, with bad WiFi signal, causing some connections to take over 10s to be established. Many use the Internet while commuting on slower connection speeds. Latency across country borders is another concern. As such, disabling default timeouts will serve a greater population of users than enabling them, as slowloris is easy to mitigate and does not seem to be reported often (I've only seen it once). It's also very difficult sometimes to distinguish slowloris from genuine slow networks. That decision is best left to the site owner for now. --- caddyhttp/httpserver/server.go | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/caddyhttp/httpserver/server.go b/caddyhttp/httpserver/server.go index d8b8e550..c4067462 100644 --- a/caddyhttp/httpserver/server.go +++ b/caddyhttp/httpserver/server.go @@ -437,15 +437,9 @@ func (s *Server) OnStartupComplete() { } // defaultTimeouts stores the default timeout values to use -// if left unset by user configuration. Default timeouts, -// especially for ReadTimeout, are important for mitigating -// slowloris attacks. -var defaultTimeouts = Timeouts{ - ReadTimeout: 10 * time.Second, - ReadHeaderTimeout: 10 * time.Second, - WriteTimeout: 20 * time.Second, - IdleTimeout: 2 * time.Minute, -} +// if left unset by user configuration. NOTE: Default timeouts +// are disabled (see issue #1464). +var defaultTimeouts Timeouts // tcpKeepAliveListener sets TCP keep-alive timeouts on accepted // connections. It's used by ListenAndServe and ListenAndServeTLS so