hashicorp · sanikachavan5 · Sep 9, 2025 · Sep 9, 2025 · Sep 11, 2025 · Sep 14, 2025
@@ -0,0 +1,3 @@
+```release-note:security
+security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and connect proxy pprof endpoints
+```
@@ -1164,10 +1164,14 @@ func (a *Agent) listenHTTP() ([]apiServer, error) {
 			a.configReloaders = append(a.configReloaders, srv.ReloadConfig)
 			a.httpHandlers = srv
 			httpServer := &http.Server{
-				Addr:           l.Addr().String(),
-				TLSConfig:      tlscfg,
-				Handler:        srv.handler(),
-				MaxHeaderBytes: a.config.HTTPMaxHeaderBytes,
+				Addr:              l.Addr().String(),
+				TLSConfig:         tlscfg,
+				Handler:           srv.handler(),
+				MaxHeaderBytes:    a.config.HTTPMaxHeaderBytes,
+				ReadHeaderTimeout: a.config.HTTPReadHeaderTimeout,
+				ReadTimeout:       a.config.HTTPReadTimeout,
+				WriteTimeout:      a.config.HTTPWriteTimeout,
+				IdleTimeout:       a.config.HTTPIdleTimeout,
 			}
 
 			if scada.IsCapability(l.Addr()) {

@@ -6469,6 +6469,49 @@ func assertDeepEqual(t *testing.T, x, y interface{}, opts ...cmp.Option) {
 	}
 }
 
+func TestAgent_HTTPServerTimeouts(t *testing.T) {
+	if testing.Short() {
+		t.Skip("too slow for testing.Short")
+	}
+
+	t.Parallel()
+
+	// Test with custom timeout configuration
+	a := NewTestAgent(t, `
+		http_config = {
+			read_timeout = "5s"
+			read_header_timeout = "2s"
+			write_timeout = "5s"
+			idle_timeout = "60s"
+		}
+	`)
+	defer a.Shutdown()
+
+	// Verify timeout values are configured correctly
+	require.Equal(t, 5*time.Second, a.config.HTTPReadTimeout)
+	require.Equal(t, 2*time.Second, a.config.HTTPReadHeaderTimeout)
+	require.Equal(t, 5*time.Second, a.config.HTTPWriteTimeout)
+	require.Equal(t, 60*time.Second, a.config.HTTPIdleTimeout)
+}
+
+func TestAgent_HTTPServerDefaultTimeouts(t *testing.T) {
+	if testing.Short() {
+		t.Skip("too slow for testing.Short")
+	}
+
+	t.Parallel()
+
+	// Test with default timeout configuration (no explicit timeouts set)
+	a := NewTestAgent(t, "")
+	defer a.Shutdown()
+
+	// Verify default timeout values are applied
+	require.Equal(t, 30*time.Second, a.config.HTTPReadTimeout)
+	require.Equal(t, 10*time.Second, a.config.HTTPReadHeaderTimeout)
+	require.Equal(t, 30*time.Second, a.config.HTTPWriteTimeout)
+	require.Equal(t, 120*time.Second, a.config.HTTPIdleTimeout)
+}
+
 func TestAgent_ServiceRegistration(t *testing.T) {
 	// Since we accept both `port` and `ports` for service registration, we need to ensure that catalog stores it as it gets it
 

@@ -924,15 +924,19 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		DNSCacheMaxAge:        b.durationVal("dns_config.cache_max_age", c.DNS.CacheMaxAge),
 
 		// HTTP
-		HTTPPort:            httpPort,
-		HTTPSPort:           httpsPort,
-		HTTPAddrs:           httpAddrs,
-		HTTPSAddrs:          httpsAddrs,
-		HTTPBlockEndpoints:  c.HTTPConfig.BlockEndpoints,
-		HTTPMaxHeaderBytes:  intVal(c.HTTPConfig.MaxHeaderBytes),
-		HTTPResponseHeaders: c.HTTPConfig.ResponseHeaders,
-		AllowWriteHTTPFrom:  b.cidrsVal("allow_write_http_from", c.HTTPConfig.AllowWriteHTTPFrom),
-		HTTPUseCache:        boolValWithDefault(c.HTTPConfig.UseCache, true),
+		HTTPPort:              httpPort,
+		HTTPSPort:             httpsPort,
+		HTTPAddrs:             httpAddrs,
+		HTTPSAddrs:            httpsAddrs,
+		HTTPBlockEndpoints:    c.HTTPConfig.BlockEndpoints,
+		HTTPMaxHeaderBytes:    intVal(c.HTTPConfig.MaxHeaderBytes),
+		HTTPResponseHeaders:   c.HTTPConfig.ResponseHeaders,
+		AllowWriteHTTPFrom:    b.cidrsVal("allow_write_http_from", c.HTTPConfig.AllowWriteHTTPFrom),
+		HTTPUseCache:          boolValWithDefault(c.HTTPConfig.UseCache, true),
+		HTTPReadTimeout:       b.durationValWithDefaultMin("http_config.read_timeout", c.HTTPConfig.ReadTimeout, 30*time.Second, 1*time.Second),
+		HTTPReadHeaderTimeout: b.durationValWithDefaultMin("http_config.read_header_timeout", c.HTTPConfig.ReadHeaderTimeout, 10*time.Second, 1*time.Second),
+		HTTPWriteTimeout:      b.durationValWithDefaultMin("http_config.write_timeout", c.HTTPConfig.WriteTimeout, 30*time.Second, 1*time.Second),
+		HTTPIdleTimeout:       b.durationValWithDefaultMin("http_config.idle_timeout", c.HTTPConfig.IdleTimeout, 120*time.Second, 10*time.Second),
 
 		// Telemetry
 		Telemetry: lib.TelemetryConfig{

@@ -346,6 +346,246 @@ func TestBuilder_ServiceVal_MultiError(t *testing.T) {
 	require.Contains(t, b.err.Error(), "cannot have both socket path")
 }
 
+func TestBuilder_DurationVal_EdgeCases(t *testing.T) {
+	testCases := []struct {
+		name        string
+		input       string
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			name:        "negative duration",
+			input:       "-5s",
+			expectError: false, // time.ParseDuration allows negative durations
+		},
+		{
+			name:        "zero duration",
+			input:       "0s",
+			expectError: false,
+		},
+		{
+			name:        "unparseable string - no unit",
+			input:       "123",
+			expectError: true,
+			errorMsg:    "time: missing unit in duration",
+		},
+		{
+			name:        "unparseable string - invalid unit",
+			input:       "5x",
+			expectError: true,
+			errorMsg:    "unknown unit",
+		},
+		{
+			name:        "unparseable string - empty",
+			input:       "",
+			expectError: true,
+			errorMsg:    "invalid duration",
+		},
+		{
+			name:        "unparseable string - just letters",
+			input:       "abc",
+			expectError: true,
+			errorMsg:    "invalid duration",
+		},
+		{
+			name:        "unparseable string - mixed invalid",
+			input:       "5s10x",
+			expectError: true,
+			errorMsg:    "unknown unit",
+		},
+		{
+			name:        "very large duration",
+			input:       "8760h", // 1 year in hours
+			expectError: false,
+		},
+		{
+			name:        "fractional seconds",
+			input:       "1.5s",
+			expectError: false,
+		},
+		{
+			name:        "complex valid duration",
+			input:       "1h30m45s",
+			expectError: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			b := builder{}
+			result := b.durationVal("test_field", &tc.input)
+
+			if tc.expectError {
+				require.Error(t, b.err)
+				require.Contains(t, b.err.Error(), tc.errorMsg)
+				require.Equal(t, time.Duration(0), result)
+			} else {
+				require.NoError(t, b.err)
+				switch tc.input {
+				case "-5s":
+					require.Equal(t, -5*time.Second, result)
+				case "0s":
+					require.Equal(t, time.Duration(0), result)
+				case "8760h":
+					require.Equal(t, 8760*time.Hour, result)
+				case "1.5s":
+					require.Equal(t, 1500*time.Millisecond, result)
+				case "1h30m45s":
+					expected := time.Hour + 30*time.Minute + 45*time.Second
+					require.Equal(t, expected, result)
+				}
+			}
+		})
+	}
+}
+
+func TestBuilder_DurationValWithDefaultMin_EdgeCases(t *testing.T) {
+	testCases := []struct {
+		name        string
+		input       *string
+		defaultVal  time.Duration
+		minVal      time.Duration
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			name:        "nil input uses default",
+			input:       nil,
+			defaultVal:  10 * time.Second,
+			minVal:      5 * time.Second,
+			expectError: false,
+		},
+		{
+			name:        "negative duration below minimum",
+			input:       strPtr("-10s"),
+			defaultVal:  10 * time.Second,
+			minVal:      0,
+			expectError: true,
+			errorMsg:    "cannot be less than",
+		},
+		{
+			name:        "zero duration below minimum",
+			input:       strPtr("0s"),
+			defaultVal:  10 * time.Second,
+			minVal:      5 * time.Second,
+			expectError: true,
+			errorMsg:    "cannot be less than",
+		},
+		{
+			name:        "valid duration above minimum",
+			input:       strPtr("30s"),
+			defaultVal:  10 * time.Second,
+			minVal:      5 * time.Second,
+			expectError: false,
+		},
+		{
+			name:        "duration exactly at minimum",
+			input:       strPtr("5s"),
+			defaultVal:  10 * time.Second,
+			minVal:      5 * time.Second,
+			expectError: false,
+		},
+		{
+			name:        "unparseable duration with minimum check",
+			input:       strPtr("invalid"),
+			defaultVal:  10 * time.Second,
+			minVal:      5 * time.Second,
+			expectError: true,
+			errorMsg:    "invalid duration",
+		},
+		{
+			name:        "very small duration below microsecond minimum",
+			input:       strPtr("1ns"),
+			defaultVal:  0,
+			minVal:      time.Microsecond,
+			expectError: true,
+			errorMsg:    "cannot be less than",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			b := builder{}
+			result := b.durationValWithDefaultMin("test_field", tc.input, tc.defaultVal, tc.minVal)
+
+			if tc.expectError {
+				require.Error(t, b.err)
+				require.Contains(t, b.err.Error(), tc.errorMsg)
+			} else {
+				require.NoError(t, b.err)
+				if tc.input == nil {
+					require.Equal(t, tc.defaultVal, result)
+				} else if *tc.input == "30s" {
+					require.Equal(t, 30*time.Second, result)
+				} else if *tc.input == "5s" {
+					require.Equal(t, 5*time.Second, result)
+				}
+			}
+		})
+	}
+}
+
+func TestBuilder_DurationValWithDefault_EdgeCases(t *testing.T) {
+	testCases := []struct {
+		name        string
+		input       *string
+		defaultVal  time.Duration
+		expectError bool
+		expected    time.Duration
+	}{
+		{
+			name:        "nil input returns default",
+			input:       nil,
+			defaultVal:  15 * time.Minute,
+			expectError: false,
+			expected:    15 * time.Minute,
+		},
+		{
+			name:        "empty string input",
+			input:       strPtr(""),
+			defaultVal:  15 * time.Minute,
+			expectError: true,
+			expected:    time.Duration(0),
+		},
+		{
+			name:        "negative duration with default",
+			input:       strPtr("-1h"),
+			defaultVal:  15 * time.Minute,
+			expectError: false,
+			expected:    -time.Hour,
+		},
+		{
+			name:        "zero duration overrides default",
+			input:       strPtr("0s"),
+			defaultVal:  15 * time.Minute,
+			expectError: false,
+			expected:    time.Duration(0),
+		},
+		{
+			name:        "valid duration overrides default",
+			input:       strPtr("2h30m"),
+			defaultVal:  15 * time.Minute,
+			expectError: false,
+			expected:    2*time.Hour + 30*time.Minute,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			b := builder{}
+			result := b.durationValWithDefault("test_field", tc.input, tc.defaultVal)
+
+			if tc.expectError {
+				require.Error(t, b.err)
+				require.Equal(t, time.Duration(0), result)
+			} else {
+				require.NoError(t, b.err)
+				require.Equal(t, tc.expected, result)
+			}
+		})
+	}
+}
+
 func TestBuilder_ServiceVal_with_Check(t *testing.T) {
 	b := builder{}
 	svc := b.serviceVal(&ServiceDefinition{

@@ -695,6 +695,10 @@ type HTTPConfig struct {
 	ResponseHeaders    map[string]string `mapstructure:"response_headers"`
 	UseCache           *bool             `mapstructure:"use_cache"`
 	MaxHeaderBytes     *int              `mapstructure:"max_header_bytes"`
+	ReadTimeout        *string           `mapstructure:"read_timeout"`
+	ReadHeaderTimeout  *string           `mapstructure:"read_header_timeout"`
+	WriteTimeout       *string           `mapstructure:"write_timeout"`
+	IdleTimeout        *string           `mapstructure:"idle_timeout"`
 }
 
 type Performance struct {

@@ -797,6 +797,38 @@ type RuntimeConfig struct {
 	// If zero, or negative, http.DefaultMaxHeaderBytes is used.
 	HTTPMaxHeaderBytes int
 
+	// HTTPReadTimeout is the maximum duration for reading the entire request,
+	// including the body. This timeout prevents slow request body attacks.
+	// A zero or negative value means there will be no timeout.
+	//
+	// Default: 30s, Minimum: 1s
+	// hcl: http_config { read_timeout = "30s" }
+	HTTPReadTimeout time.Duration
+
+	// HTTPReadHeaderTimeout is the amount of time allowed to read request headers.
+	// The connection's read deadline is reset after reading the headers and the
+	// Handler can decide what is considered too slow for the body.
+	// This timeout prevents slowloris attacks on header parsing.
+	//
+	// Default: 10s, Minimum: 1s
+	// hcl: http_config { read_header_timeout = "10s" }
+	HTTPReadHeaderTimeout time.Duration
+
+	// HTTPWriteTimeout is the maximum duration before timing out writes of the response.
+	// This timeout prevents slow response drain attacks.
+	// A zero or negative value means there will be no timeout.
+	//
+	// Default: 30s, Minimum: 1s
+	// hcl: http_config { write_timeout = "30s" }
+	HTTPWriteTimeout time.Duration
+
+	// HTTPIdleTimeout is the maximum amount of time to wait for the next request
+	// when keep-alives are enabled. This timeout prevents connection exhaustion attacks.
+	//
+	// Default: 120s, Minimum: 10s
+	// hcl: http_config { idle_timeout = "120s" }
+	HTTPIdleTimeout time.Duration
+
 	// HTTPSHandshakeTimeout is the time allowed for HTTPS client to complete the
 	// TLS handshake and send first bytes of the request.
 	//