Implement configurable ReadTimeout, WriteTimeout, and IdleTimeout

[mholt]

Some recent events have reminded me that we should finally implement this TODO in Caddy: a way to set WriteTimeout, ReadTimeout, and (coming in Go 1.8) IdleTimeout.

Required reading:

• https://blog.gopheracademy.com/advent-2016/exposing-go-on-the-internet/
• https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/

I figure this will be either one or three new directives for the Caddyfile.

Since these timeouts can't be set on a per-request basis, we have to reduce any repeated invocations of these directives across sites on a listener to a single value -- probably the lowest value among them. This is not too bad. We can print a warning if that's the case.

While we're at it, we should also make the max header size configurable too.

[cuu508]

Do these timeouts have some default values currently? Or are they 0 (never times out)?
A more general question, do you think it would currently be OK to expose Caddy directly to internet, without a reverse proxy in front of it?

I recently noticed a problem on a server running Caddy 0.8.3. By looking at netstat output it looked like the server is slowly accumulating open, established and very old (hours, days) connections, attributed to the caddy process. Could this have been an issue with timeouts?

[mholt]

They don't time out currently.

do you think it would currently be OK to expose Caddy directly to internet, without a reverse proxy in front of it?

About as safe as it would be to expose any other web server to the Internet. Depends on your threat model. Before jumping to conclusions, always create a threat model first. If you're worried about DoS attacks, you should probably put something like Cloudflare in front of your site.

I recently noticed a problem on a server running Caddy 0.8.3. ... Could this have been an issue with timeouts?

That's an issue with server administration. You need to upgrade. That version is over a year old.