HTTP Server and Upstream Timeouts (#268)

Related to issue [263](https://github.com/gambol99/keycloak-proxy/issues/263). Permitting the users to set varioues timeouts on the http.Server and upstream proxy

HTTP Server and Upstream Timeouts (#268)
e1fc47a8 · Rohith Jayawardene · GitHub · 0fc5cd46 · e1fc47a8 · e1fc47a8
Commit e1fc47a8 authored Sep 3, 2017 by Rohith Jayawardene Committed by GitHub Sep 3, 2017
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@ FEATURES
 * moved to use zap for the logging [#PR237](https://github.com/gambol99/keycloak-proxy/pull/237)
 * making the X-Auth-Token optional in the upstream headers via the --enable-token-header [#PR247](https://github.com/gambol99/keycloak-proxy/pull/247)
 * adding the ability to load a CA authority to provide trust on upstream endpoint [#PR248](https://github.com/gambol99/keycloak-proxy/pull/248)
+* adding the ability to set various http server and upstream timeout [#PR268](https://github.com/gambol99/keycloak-proxy/pull/268)
 BREAKING CHANGES:
 * the proxy no longer uses prefixes for resources, if you wish to use wildcard urls you need

--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ USAGE:
   keycloak-proxy [options]
 VERSION:
-   v2.1.0-rc2 (git+sha: 6782490-dirty, built: 06-07-2017)
+   v2.1.0-rc3 (git+sha: 920a0a6-dirty, built: 28-08-2017)
 AUTHOR:
   Rohith <gambol99@gmail.com>
@@ -103,8 +103,14 @@ GLOBAL OPTIONS:
   --upstream-keepalives                     enables or disables the keepalive connections for upstream endpoint (default: false)
   --upstream-timeout value                  maximum amount of time a dial will wait for a connect to complete (default: 10s)
   --upstream-keepalive-timeout value        specifies the keep-alive period for an active network connection (default: 10s)
+   --upstream-tls-handshake-timeout value    the timeout placed on the tls handshake for upstream (default: 10s)
+   --upstream-response-header-timeout value  the timeout placed on the response header for upstream (default: 1s)
+   --upstream-expect-continue-timeout value  the timeout placed on the expect continue for upstream (default: 10s)
   --verbose                                 switch on debug / verbose logging (default: false)
   --enabled-proxy-protocol                  enable proxy protocol (default: false)
+   --server-read-timeout value               the server read timeout on the http server (default: 5s)
+   --server-write-timeout value              the server write timeout on the http server (default: 10s)
+   --server-idle-timeout value               the server idle timeout on the http server (default: 2m0s)
   --use-letsencrypt                         use letsencrypt for certificates (default: false)
   --letsencrypt-cache-dir value             path where cached letsencrypt certificates are stored (default: "./cache/")
   --sign-in-page value                      path to custom template displayed for signin

--- a/config.go
+++ b/config.go
@@ -28,20 +28,26 @@ import (
 func newDefaultConfig() *Config {
 	return &Config{
 		AccessTokenDuration:         time.Duration(720) * time.Hour,
-		Tags:                        make(map[string]string),
-		MatchClaims:                 make(map[string]string),
-		Headers:                     make(map[string]string),
-		UpstreamTimeout:             time.Duration(10) * time.Second,
-		UpstreamKeepaliveTimeout:    time.Duration(10) * time.Second,
-		EnableAuthorizationHeader:   true,
-		EnableTokenHeader:           true,
 		CookieAccessName:            "kc-access",
 		CookieRefreshName:           "kc-state",
+		EnableAuthorizationHeader:   true,
+		EnableTokenHeader:           true,
+		Headers:                     make(map[string]string),
+		LetsEncryptCacheDir:         "./cache/",
+		MatchClaims:                 make(map[string]string),
 		SecureCookie:                true,
-		SkipUpstreamTLSVerify:       true,
+		ServerIdleTimeout:           120 * time.Second,
+		ServerReadTimeout:           5 * time.Second,
+		ServerWriteTimeout:          10 * time.Second,
 		SkipOpenIDProviderTLSVerify: false,
+		SkipUpstreamTLSVerify:       true,
+		Tags: make(map[string]string, 0),
+		UpstreamExpectContinueTimeout: 10 * time.Second,
+		UpstreamKeepaliveTimeout:      10 * time.Second,
+		UpstreamResponseHeaderTimeout: 1 * time.Second,
+		UpstreamTLSHandshakeTimeout:   10 * time.Second,
+		UpstreamTimeout:               10 * time.Second,
 		UseLetsEncrypt:                false,
-		LetsEncryptCacheDir:         "./cache/",
 	}
 }

--- a/doc.go
+++ b/doc.go
@@ -26,7 +26,7 @@ import (
 )
 var (
-	release  = "v2.1.0-rc3"
+	release  = "v2.1.0-rc4"
 	gitsha   = "no gitsha provided"
 	compiled = "0"
 	version  = ""
@@ -229,12 +229,25 @@ type Config struct {
 	UpstreamKeepalives bool `json:"upstream-keepalives" yaml:"upstream-keepalives" usage:"enables or disables the keepalive connections for upstream endpoint"`
 	// UpstreamTimeout is the maximum amount of time a dial will wait for a connect to complete
 	UpstreamTimeout time.Duration `json:"upstream-timeout" yaml:"upstream-timeout" usage:"maximum amount of time a dial will wait for a connect to complete"`
-	// UpstreamKeepaliveTimeout
+	// UpstreamKeepaliveTimeout is the upstream keepalive timeout
 	UpstreamKeepaliveTimeout time.Duration `json:"upstream-keepalive-timeout" yaml:"upstream-keepalive-timeout" usage:"specifies the keep-alive period for an active network connection"`
+	// UpstreamTLSHandshakeTimeout is the timeout for upstream to tls handshake
+	UpstreamTLSHandshakeTimeout time.Duration `json:"upstream-tls-handshake-timeout" yaml:"upstream-tls-handshake-timeout" usage:"the timeout placed on the tls handshake for upstream"`
+	// UpstreamResponseHeaderTimeout is the timeout for upstream header response
+	UpstreamResponseHeaderTimeout time.Duration `json:"upstream-response-header-timeout" yaml:"upstream-response-header-timeout" usage:"the timeout placed on the response header for upstream"`
+	// UpstreamExpectContinueTimeout is the timeout expect continue for upstream
+	UpstreamExpectContinueTimeout time.Duration `json:"upstream-expect-continue-timeout" yaml:"upstream-expect-continue-timeout" usage:"the timeout placed on the expect continue for upstream"`
 	// Verbose switches on debug logging
 	Verbose bool `json:"verbose" yaml:"verbose" usage:"switch on debug / verbose logging"`
 	// EnableProxyProtocol controls the proxy protocol
 	EnableProxyProtocol bool `json:"enabled-proxy-protocol" yaml:"enabled-proxy-protocol" usage:"enable proxy protocol"`
+	// ServerReadTimeout is the read timeout on the http server
+	ServerReadTimeout time.Duration `json:"server-read-timeout" yaml:"server-read-timeout" usage:"the server read timeout on the http server"`
+	// ServerWriteTimeout is the write timeout on the http server
+	ServerWriteTimeout time.Duration `json:"server-write-timeout" yaml:"server-write-timeout" usage:"the server write timeout on the http server"`
+	// ServerIdleTimeout is the idle timeout on the http server
+	ServerIdleTimeout time.Duration `json:"server-idle-timeout" yaml:"server-idle-timeout" usage:"the server idle timeout on the http server"`
 	// UseLetsEncrypt controls if we should use letsencrypt to retrieve certificates
 	UseLetsEncrypt bool `json:"use-letsencrypt" yaml:"use-letsencrypt" usage:"use letsencrypt for certificates"`

--- a/server.go
+++ b/server.go
@@ -336,7 +336,9 @@ func (r *oauthProxy) Run() error {
 	server := &http.Server{
 		Addr:         r.config.Listen,
 		Handler:      r.router,
-		IdleTimeout: 120 * time.Second,
+		ReadTimeout:  r.config.ServerReadTimeout,
+		WriteTimeout: r.config.ServerWriteTimeout,
+		IdleTimeout:  r.config.ServerIdleTimeout,
 	}
 	r.server = server
 	r.listener = listener
@@ -363,6 +365,9 @@ func (r *oauthProxy) Run() error {
 		httpsvc := &http.Server{
 			Addr:         r.config.ListenHTTP,
 			Handler:      r.router,
+			ReadTimeout:  r.config.ServerReadTimeout,
+			WriteTimeout: r.config.ServerWriteTimeout,
+			IdleTimeout:  r.config.ServerIdleTimeout,
 		}
 		go func() {
 			if err := httpsvc.Serve(httpListener); err != nil {
@@ -548,13 +553,19 @@ func (r *oauthProxy) createUpstreamProxy(upstream *url.URL) error {
 	proxy.Logger = httplog.New(ioutil.Discard, "", 0)
 	r.upstream = proxy
-	// update the tls configuration of the reverse proxy
+	// create the http transport
-	r.upstream.(*goproxy.ProxyHttpServer).Tr = &http.Transport{
+	tp := &http.Transport{
 		Dial:                  dialer,
-		TLSClientConfig:   tlsConfig,
 		DisableKeepAlives:     !r.config.UpstreamKeepalives,
+		ExpectContinueTimeout: r.config.UpstreamExpectContinueTimeout,
+		ResponseHeaderTimeout: r.config.UpstreamResponseHeaderTimeout,
+		TLSClientConfig:       tlsConfig,
+		TLSHandshakeTimeout:   r.config.UpstreamTLSHandshakeTimeout,
 	}
+	// update the tls configuration of the reverse proxy
+	r.upstream.(*goproxy.ProxyHttpServer).Tr = tp
 	return nil
 }