From c9d23494b96835a0d2ec4eb6e67e9840b5a9a0e7 Mon Sep 17 00:00:00 2001
From: Ben Parli <bparli@gmail.com>
Date: Tue, 4 Apr 2017 02:36:23 -0700
Subject: [PATCH] Add IdleConnTimeout to Traefik's http.server settings (#1340)

* Add IdleTimeout setting to http.server

Without such a timeout there is a risk of resource leakage from piling up connections, particularly when exposing Traefik to the Internet.

Set the default to be 180 seconds

* Add IdleConnTimeout to Traefik's http.server settings

Without enforcing a timeout Traefik is susceptible to resource leakage, particularly when deployed as a public facing proxy exposed to the Internet.

Set the default to be 180 seconds

* tweak

* Update configuration.go

* add some documentation for the idletimeout setting

* need to cast idletimeout

* update doc to refect format specifics
---
 configuration.go            |  2 ++
 docs/toml.md                | 14 ++++++++++++--
 docs/user-guide/examples.md |  9 ++++++++-
 server.go                   | 10 +++++-----
 4 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/configuration.go b/configuration.go
index af0b65300..5286897fb 100644
--- a/configuration.go
+++ b/configuration.go
@@ -37,6 +37,7 @@ type GlobalConfiguration struct {
 	DefaultEntryPoints        DefaultEntryPoints      `description:"Entrypoints to be used by frontends that do not specify any entrypoint"`
 	ProvidersThrottleDuration flaeg.Duration          `description:"Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time."`
 	MaxIdleConnsPerHost       int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used"`
+	IdleTimeout               flaeg.Duration          `description:"maximum amount of time an idle (keep-alive) connection will remain idle before closing itself."`
 	InsecureSkipVerify        bool                    `description:"Disable SSL certificate verification"`
 	Retry                     *Retry                  `description:"Enable retry sending request if network error"`
 	Docker                    *provider.Docker        `description:"Enable Docker backend"`
@@ -467,6 +468,7 @@ func NewTraefikConfiguration() *TraefikConfiguration {
 			DefaultEntryPoints:        []string{},
 			ProvidersThrottleDuration: flaeg.Duration(2 * time.Second),
 			MaxIdleConnsPerHost:       200,
+			IdleTimeout:               flaeg.Duration(180 * time.Second),
 			CheckNewVersion:           true,
 		},
 		ConfigFile: "",
diff --git a/docs/toml.md b/docs/toml.md
index 20d44acf8..35af118fe 100644
--- a/docs/toml.md
+++ b/docs/toml.md
@@ -67,6 +67,16 @@
 #
 # ProvidersThrottleDuration = "2s"
 
+# IdleTimeout: maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.
+# This is set to enforce closing of stale client connections.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming seconds.
+#
+# Optional
+# Default: "180s"
+#
+# IdleTimeout = "360s"
+
 # If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used.
 # If you encounter 'too many open files' errors, you can either change this value, or change `ulimit` value.
 #
@@ -1648,7 +1658,7 @@ RefreshSeconds = 15
 
 ```
 
-Items in the dynamodb table must have three attributes: 
+Items in the dynamodb table must have three attributes:
 
 
 - 'id' : string
@@ -1656,4 +1666,4 @@ Items in the dynamodb table must have three attributes:
 - 'name' : string
     - The name is used as the name of the frontend or backend.
 - 'frontend' or 'backend' : map
-    - This attribute's structure matches exactly the structure of a Frontend or Backend type in traefik. See types/types.go for details. The presence or absence of this attribute determines its type. So an item should never have both a 'frontend' and a 'backend' attribute. 
+    - This attribute's structure matches exactly the structure of a Frontend or Backend type in traefik. See types/types.go for details. The presence or absence of this attribute determines its type. So an item should never have both a 'frontend' and a 'backend' attribute.
diff --git a/docs/user-guide/examples.md b/docs/user-guide/examples.md
index 7d807afad..ff841a20d 100644
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@@ -130,4 +130,11 @@ defaultEntryPoints = ["http"]
     headerField = "X-WebAuth-User"
     [entryPoints.http.auth.basic]
     users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
-```
\ No newline at end of file
+```
+
+## Override the Traefik HTTP server IdleTimeout and/or throttle configurations from re-loading too quickly
+
+```
+IdleTimeout = "360s"
+ProvidersThrottleDuration = "5s"
+```
diff --git a/server.go b/server.go
index ed12e88d4..27d2a1a67 100644
--- a/server.go
+++ b/server.go
@@ -17,11 +17,10 @@ import (
 	"reflect"
 	"regexp"
 	"sort"
+	"sync"
 	"syscall"
 	"time"
 
-	"sync"
-
 	"github.com/codegangsta/negroni"
 	"github.com/containous/mux"
 	"github.com/containous/traefik/cluster"
@@ -532,9 +531,10 @@ func (server *Server) prepareServer(entryPointName string, router *middlewares.H
 	}
 
 	return &http.Server{
-		Addr:      entryPoint.Address,
-		Handler:   negroni,
-		TLSConfig: tlsConfig,
+		Addr:        entryPoint.Address,
+		Handler:     negroni,
+		TLSConfig:   tlsConfig,
+		IdleTimeout: time.Duration(server.globalConfiguration.IdleTimeout),
 	}, nil
 }