internal: make http timeouts configurable (cherry-pick #20472 to version-2026.2) (#20567)

internal: make http timeouts configurable (#20472)

* internal: make http timeouts configurable



* Changed formatting to match the rest of the doc

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>

authentik/lib/default.yml

@@ -141,6 +141,10 @@ web:
   # workers: 2
   threads: 4
   path: /
+  timeout_http_read_header: 5s
+  timeout_http_read: 30s
+  timeout_http_write: 60s
+  timeout_http_idle: 120s
 
 worker:
   processes: 1

internal/config/struct.go

@@ -104,7 +104,11 @@ type OutpostConfig struct {
 }
 
 type WebConfig struct {
-	Path string `yaml:"path" env:"PATH, overwrite"`
+	Path                  string `yaml:"path" env:"PATH, overwrite"`
+	TimeoutHttpReadHeader string `yaml:"timeout_http_read_header" env:"TIMEOUT_HTTP_READ_HEADER, overwrite"`
+	TimeoutHttpRead       string `yaml:"timeout_http_read" env:"TIMEOUT_HTTP_READ, overwrite"`
+	TimeoutHttpWrite      string `yaml:"timeout_http_write" env:"TIMEOUT_HTTP_WRITE, overwrite"`
+	TimeoutHttpIdle       string `yaml:"timeout_http_idle" env:"TIMEOUT_HTTP_IDLE, overwrite"`
 }
 
 type LogConfig struct {

internal/utils/web/server.go

@@ -3,15 +3,26 @@ package web
 import (
 	"net/http"
 	"time"
+
+	"goauthentik.io/internal/config"
 )
 
+func durationOrFallback(raw string, fallback time.Duration) time.Duration {
+	p, err := time.ParseDuration(raw)
+	if err != nil {
+		return fallback
+	}
+	return p
+}
+
 func Server(h http.Handler) *http.Server {
+	c := config.Get()
 	return &http.Server{
 		Handler:           h,
-		ReadHeaderTimeout: 5 * time.Second,
-		ReadTimeout:       30 * time.Second,
-		WriteTimeout:      60 * time.Second,
-		IdleTimeout:       120 * time.Second,
+		ReadHeaderTimeout: durationOrFallback(c.Web.TimeoutHttpReadHeader, 5*time.Second),
+		ReadTimeout:       durationOrFallback(c.Web.TimeoutHttpRead, 30*time.Second),
+		WriteTimeout:      durationOrFallback(c.Web.TimeoutHttpWrite, 60*time.Second),
+		IdleTimeout:       durationOrFallback(c.Web.TimeoutHttpIdle, 120*time.Second),
 		MaxHeaderBytes:    http.DefaultMaxHeaderBytes,
 	}
 }

website/docs/install-config/configuration/configuration.mdx

@@ -633,6 +633,26 @@ Configure the path under which authentik is served. For example to access authen
 
 Defaults to `/`.
 
+### `AUTHENTIK_WEB__TIMEOUT_HTTP`
+
+Configure the timeouts for the web HTTP/HTTPS Server. Accepts duration in the format of "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+
+- `AUTHENTIK_WEB__TIMEOUT_HTTP_READ_HEADER`
+
+Defaults to `5s`
+
+- `AUTHENTIK_WEB__TIMEOUT_HTTP_READ`
+
+Defaults to `30s`
+
+- `AUTHENTIK_WEB__TIMEOUT_HTTP_WRITE`
+
+Defaults to `60s`
+
+- `AUTHENTIK_WEB__TIMEOUT_HTTP_IDLE`
+
+Defaults to `120s`
+
 ## System settings
 
 Additional [system settings](../../sys-mgmt/settings.md) are configurable using the Admin interface, under **System** > **Settings** or using the API.