From 00b3c1c0422d033a479a2efedbbd239c05dab68c Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Tue, 31 Aug 2021 10:18:36 -0700
Subject: [PATCH] cmd/derper: add missing read/write timeouts

Updates tailscale/corp#2486

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 cmd/derper/derper.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cmd/derper/derper.go b/cmd/derper/derper.go
index 1f6dbfc73..c495cfb9f 100644
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -187,6 +187,16 @@ func main() {
 	httpsrv := &http.Server{
 		Addr:    *addr,
 		Handler: mux,
+
+		// Set read/write timeout. For derper, this basically
+		// only affects TLS setup, as read/write deadlines are
+		// cleared on Hijack, which the DERP server does. But
+		// without this, we slowly accumulate stuck TLS
+		// handshake goroutines forever. This also affects
+		// /debug/ traffic, but 30 seconds is plenty for
+		// Prometheus/etc scraping.
+		ReadTimeout:  30 * time.Second,
+		WriteTimeout: 30 * time.Second,
 	}
 
 	var err error