From 478c8f9c03e98e34ffdd2cfb392de77649b8c1e8 Mon Sep 17 00:00:00 2001 From: folbrich Date: Sat, 18 Apr 2026 17:39:08 +0200 Subject: [PATCH] Add HTTP server timeouts to index-server and chunk-server Set ReadHeaderTimeout (30s) and IdleTimeout (120s) on the http.Server used by both index-server and chunk-server. Without these, an Internet- exposed server is vulnerable to Slowloris-style header-read attacks and unbounded idle keep-alive connections. ReadTimeout and WriteTimeout are intentionally left at 0 so that slow but legitimate transfers of large chunks or indexes aren't cut off. --- cmd/desync/indexserver.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/cmd/desync/indexserver.go b/cmd/desync/indexserver.go index 7c3e4411..3c4fdae8 100644 --- a/cmd/desync/indexserver.go +++ b/cmd/desync/indexserver.go @@ -10,6 +10,7 @@ import ( "net/http" "os" "strings" + "time" "github.com/folbricht/desync" "github.com/spf13/cobra" @@ -138,9 +139,11 @@ func serve(ctx context.Context, opt cmdServerOptions, addresses ...string) error for _, addr := range addresses { go func(a string) { server := &http.Server{ - Addr: a, - TLSConfig: tlsConfig, - ErrorLog: log.New(stderr, "", log.LstdFlags), + Addr: a, + TLSConfig: tlsConfig, + ErrorLog: log.New(stderr, "", log.LstdFlags), + ReadHeaderTimeout: 30 * time.Second, + IdleTimeout: 120 * time.Second, } var err error if opt.key == "" {