security fix: Uncontrolled resource consumption (Slowloris)

2023-07-14 16:37:00 +02:00 · 2023-07-14 16:37:00 +02:00 · 499e251796
parent b3b102b2f4
commit 499e251796
5 changed files with 28 additions and 8 deletions
--- a/admin/app.go
+++ b/admin/app.go
@ -58,8 +58,12 @@ func NewApp(cfg *settings.Settings, baseURL string, bind string) App {

 func (app *App) Start() {
 	app.srv = &http.Server{
-		Addr:    app.bind,
-		Handler: app.router,
+		Addr:              app.bind,
+		Handler:           app.router,
+		ReadHeaderTimeout: 15 * time.Second,
+		ReadTimeout:       15 * time.Second,
+		WriteTimeout:      10 * time.Second,
+		IdleTimeout:       30 * time.Second,
 	}

 	log.Printf("Ready, listening on %s\n", app.bind)
--- a/dashboard/app.go
+++ b/dashboard/app.go
@ -52,8 +52,12 @@ func NewApp(htpasswd_file *string, restrict_to_ips *string, baseURL string, bind

 func (app *App) Start() {
 	app.srv = &http.Server{
-		Addr:    app.bind,
-		Handler: app.router,
+		Addr:              app.bind,
+		Handler:           app.router,
+		ReadHeaderTimeout: 15 * time.Second,
+		ReadTimeout:       15 * time.Second,
+		WriteTimeout:      10 * time.Second,
+		IdleTimeout:       30 * time.Second,
 	}

 	log.Printf("Ready, listening on %s\n", app.bind)
--- a/generator/main.go
+++ b/generator/main.go
@ -104,7 +104,11 @@ func main() {
 	signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)

 	srv := &http.Server{
-		Addr: *bind,
+		Addr:              *bind,
+		ReadHeaderTimeout: 15 * time.Second,
+		ReadTimeout:       15 * time.Second,
+		WriteTimeout:      10 * time.Second,
+		IdleTimeout:       30 * time.Second,
 	}

 	http.HandleFunc("/enqueue", enqueueHandler)
--- a/qa/app.go
+++ b/qa/app.go
@ -50,8 +50,12 @@ func NewApp(baseURL string) App {

 func (app *App) Start(bind string) {
 	app.srv = &http.Server{
-		Addr:    bind,
-		Handler: app.router,
+		Addr:              bind,
+		Handler:           app.router,
+		ReadHeaderTimeout: 15 * time.Second,
+		ReadTimeout:       15 * time.Second,
+		WriteTimeout:      10 * time.Second,
+		IdleTimeout:       30 * time.Second,
 	}

 	if err := app.srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
--- a/receiver/main.go
+++ b/receiver/main.go
@ -88,7 +88,11 @@ func main() {
 	signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)

 	srv := &http.Server{
-		Addr: *bind,
+		Addr:              *bind,
+		ReadHeaderTimeout: 15 * time.Second,
+		ReadTimeout:       15 * time.Second,
+		WriteTimeout:      10 * time.Second,
+		IdleTimeout:       30 * time.Second,
 	}

 	// Serve pages