2 files changed, 15 insertions, 2 deletions

diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
index f5f079c..43cc6f7 100644
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@@ -250,6 +250,13 @@ func (app *App) Provision(ctx caddy.Context) error {
 		if err != nil {
 			return fmt.Errorf("server %s: setting up TLS connection policies: %v", srvName, err)
 		}
+
+		// if there is no idle timeout, set a sane default; users have complained
+		// before that aggressive CDNs leave connections open until the server
+		// closes them, so if we don't close them it leads to resource exhaustion
+		if srv.IdleTimeout == 0 {
+			srv.IdleTimeout = defaultIdleTimeout
+		}
 	}
 
 	return nil
@@ -458,6 +465,12 @@ func (app *App) httpsPort() int {
 	return app.HTTPSPort
 }
 
+// defaultIdleTimeout is the default HTTP server timeout
+// for closing idle connections; useful to avoid resource
+// exhaustion behind hungry CDNs, for example (we've had
+// several complaints without this).
+const defaultIdleTimeout = caddy.Duration(5 * time.Minute)
+
 // Interface guards
 var (
 	_ caddy.App         = (*App)(nil)
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go
index aaec711..d5be1e1 100644
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@@ -59,8 +59,8 @@ type Server struct {
 	WriteTimeout caddy.Duration `json:"write_timeout,omitempty"`
 
 	// IdleTimeout is the maximum time to wait for the next request
-	// when keep-alives are enabled. If zero, ReadTimeout is used.
-	// If both are zero, there is no timeout.
+	// when keep-alives are enabled. If zero, a default timeout of
+	// 5m is applied to help avoid resource exhaustion.
 	IdleTimeout caddy.Duration `json:"idle_timeout,omitempty"`
 
 	// MaxHeaderBytes is the maximum size to parse from a client's