Keepalive - Which options should i use?

1. The problem I’m having:

I want to modify the keep-alive timeout that limits the time a persistent connection may remain open.
Setting a keep-alive timeout on the server side helps mitigate denial of service attacks that establish too many persistent connections, exhausting server resources.

To achive my goal, should i used

• keepalive is either off or a duration value that specifies how long to keep connections open (timeout). Default: 2m.

FROM

The http transport

transport http {
	read_buffer             <size>
	write_buffer            <size>
	max_response_header     <size>
	dial_timeout            <duration>
	dial_fallback_delay     <duration>
	response_header_timeout <duration>
	expect_continue_timeout <duration>
	resolvers <ip...>
	tls
	tls_client_auth <automate_name> | <cert_file> <key_file>
	tls_insecure_skip_verify
	tls_timeout <duration>
	tls_trusted_ca_certs <pem_files...>
	tls_server_name <server_name>
	tls_renegotiation <level>
	tls_except_ports <ports...>
	keepalive [off|<duration>]
	keepalive_interval <interval>
	keepalive_idle_conns <max_count>
	keepalive_idle_conns_per_host <count>
	versions <versions...>
	compression off
	max_conns_per_host <count>
}

OR should i use:

• idle is a duration value that sets the maximum time to wait for the next request when keep-alives are enabled. Defaults to 5 minutes to help avoid resource exhaustion.

FROM

	# Server Options
	servers [<listener_address>] {
		name <name>
		listener_wrappers {
			<listener_wrappers...>
		}
		timeouts {
			read_body   <duration>
			read_header <duration>
			write       <duration>
			idle        <duration>
		}
		trusted_proxies <module> ...
		metrics
		max_header_size <size>
		log_credentials
		protocols [h1|h2|h2c|h3]
		strict_sni_host [on|insecure_off]
	}

2. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

3. How I installed and ran Caddy:

I use a docker compose file.

a. System environment:

The hardware is a RPi 4 Model B
The OS that i’m using :

Linux srvone4all 5.4.0-1080-raspi #91-Ubuntu SMP PREEMPT Thu Jan 19 09:35:03 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

I run caddy as a container with docker:

Docker version 23.0.1, build a5ee5b1

What problem are you actually experiencing?

Caddy’s proxy enables keep-alives because it does connection pooling, so it can reuse existing connections for incoming requests. This is more efficient, and Caddy only uses a limited amount of connections from its pool to do so.

I’m not experiencing any issue at the moment. i’m actually doing prevention from security perspective.

I’m hardenning the security configuration for caddy in my application stack. By looking at the TLS configuration, the logging and now i’m working on the network aspect (on HTTP).

I did some research and it seems that the philosophy of caddy is to be secured by default

I also dig a bit futher about the pooling, this post : Proxy - pre-warmed connections - understanding keepalive. I didn’t find documentation about connection pooling in caddy. is it handled “natively” by Go ?

So the risk is not revelant since if we have the same connection it will reuse an open one ? is there a value to close idle connection from the pool ?

I’m also looking for a way to sets a timeout when caddy transmit a response to the client between two successive write operations. Do you know which directives can help me ?

It is, yeah. We use Go’s stdlib HTTP server and client. We just pass through config options to stdlib. See http package - net/http - Go Packages

Yeah, when Caddy attempts to dial a connection, stdlib might give us an idle connection from the pool instead of a fresh one.

Go stdlib does have a CloseIdleConnections() function, but we don’t use it in Caddy right now, we don’t really have a reason to.

I think you’re talking about HTTP server write timeouts? i.e. Global options (Caddyfile) — Caddy Documentation

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.