Unsettable keep-alive timeout in haproxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
Medium
|
Radosław Piliszek |
Bug Description
Kolla-Ansible does not set `timeout http-keep-alive` in HAProxy config (and does not allow to) which results in it being always defaulted to `timeout http-request` [1].
`timeout http-request` is set by Kolla-Ansible by default to 10 seconds. It protects servers against slowloris attacks and is generally preferred to be very short (one could argue 10 seconds is too generous, 3-5 is probably apter).
However, this same timeout might not be apt for keep-alive connections.
Considering backends:
eventlet-based services have one simple timeout being a socket timeout on read and write operations. It defaults to 15 minutes; for keep-alive capped by HAProxy to 10 seconds now.
httpd-based services recently got a bump from 5 seconds to 60 seconds, effectively bumping it to only 10 seconds per HAProxy's hard limit.
[1] https:/
Fix proposed to branch: master /review. opendev. org/747592
Review: https:/