fix: add timeouts to avoid goroutine leaks in net/http (#14995)

Following code can reproduce an unending go-routine buildup, while keeping connections established due to lack of client not closing the connections. https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 Without this PR all MinIO deployments can be put into denial of service attacks, causing entire service to be unavailable. We bring in two timeouts at this stage to control such go-routine build ups, new change - IdleTimeout (to kill off idle connections) - ReadHeaderTimeout (to kill off connections that are too slow) This new change also brings two hidden options to make any additional relevant changes if desired in some setups.
2025-11-06 20:33:07 -05:00 · 2022-05-30 06:24:51 -07:00
parent c2630bb3a3
commit 5792be71fa
2 changed files with 36 additions and 2 deletions
--- a/cmd/server-main.go
+++ b/cmd/server-main.go
@@ -73,6 +73,20 @@ var ServerFlags = []cli.Flag{
 		EnvVar: "MINIO_SHUTDOWN_TIMEOUT",
 		Hidden: true,
 	},
+	cli.DurationFlag{
+		Name:   "idle-timeout",
+		Value:  xhttp.DefaultIdleTimeout,
+		Usage:  "idle timeout is the maximum amount of time to wait for the next request when keep-alives are enabled",
+		EnvVar: "MINIO_IDLE_TIMEOUT",
+		Hidden: true,
+	},
+	cli.DurationFlag{
+		Name:   "read-header-timeout",
+		Value:  xhttp.DefaultReadHeaderTimeout,
+		Usage:  "read header timeout is the amount of time allowed to read request headers",
+		EnvVar: "MINIO_READ_HEADER_TIMEOUT",
+		Hidden: true,
+	},
 }

 var serverCmd = cli.Command{
@@ -486,6 +500,8 @@ func serverMain(ctx *cli.Context) {
 		UseHandler(setCriticalErrorHandler(corsHandler(handler))).
 		UseTLSConfig(newTLSConfig(getCert)).
 		UseShutdownTimeout(ctx.Duration("shutdown-timeout")).
+		UseIdleTimeout(ctx.Duration("idle-timeout")).
+		UseReadHeaderTimeout(ctx.Duration("read-header-timeout")).
 		UseBaseContext(GlobalContext).
 		UseCustomLogger(log.New(ioutil.Discard, "", 0)) // Turn-off random logging by Go stdlib