set timeouts for secondary (http) server

2 files changed, 32 insertions, 32 deletions

diff --git a/internal/server/server.go b/internal/server/server.go
index 6f933ef..dfb0f8c 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -46,9 +46,9 @@ type Config struct {
 
 type Server struct {
 	*http.Server
-	redirectHandler func(http.ResponseWriter, *http.Request)
-	runtimeConfig   *Config
-	config          *cfg.Config
+	redirectServer *http.Server
+	runtimeConfig  *Config
+	config         *cfg.Config
 }
 
 func applyDevModeOverrides(config *cfg.Config, runtimeConfig *Config) {
@@ -178,14 +178,15 @@ func New(runtimeConfig *Config) (*Server, error) {
 		return nil, errors.Wrap(err, "could not create website mux")
 	}
 
-	redirectHandler := func(w http.ResponseWriter, r *http.Request) {
+	rMux := http.NewServeMux()
+	rMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		path, _ := website.CanonicalisePath(r.URL.Path)
 		newURL := config.BaseURL.JoinPath(path)
 		http.Redirect(w, r, newURL.String(), 301)
-	}
+	})
 	if runtimeConfig.Redirect {
 		loggingMux.Handle(config.BaseURL.Hostname()+"/", mux)
-		loggingMux.HandleFunc("/", redirectHandler)
+		loggingMux.Handle("/", rMux)
 	} else {
 		loggingMux.Handle("/", mux)
 	}
@@ -209,9 +210,16 @@ func New(runtimeConfig *Config) (*Server, error) {
 			Addr:              listenAddress,
 			Handler:           top,
 		},
-		redirectHandler: redirectHandler,
-		config:          config,
-		runtimeConfig:   runtimeConfig,
+		redirectServer: &http.Server{
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       1 * time.Minute,
+			WriteTimeout:      2 * time.Minute,
+			IdleTimeout:       10 * time.Minute,
+			Addr:              listenAddress,
+			Handler:           rMux,
+		},
+		config:        config,
+		runtimeConfig: runtimeConfig,
 	}, nil
 }
 
diff --git a/internal/server/tls.go b/internal/server/tls.go
index 7bd4a1c..254cd12 100644
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@@ -35,29 +35,6 @@ func (s *Server) serveTLS() (err error) {
 	certmagic.DefaultACME.Agreed = true
 	certmagic.DefaultACME.Email = s.config.Email
 
-	ln, err := listenfd.GetListener(
-		1,
-		net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)),
-	)
-	if err != nil {
-		return errors.Wrap(err, "could not bind plain socket")
-	}
-
-	go func(ln net.Listener) {
-		redirecter := http.NewServeMux()
-		redirecter.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-			if certmagic.LooksLikeHTTPChallenge(r) {
-				issuer.HandleHTTPChallenge(w, r)
-			} else {
-				s.redirectHandler(w, r)
-			}
-		})
-		err := http.Serve(ln, redirecter)
-		if err != nil && !errors.Is(err, http.ErrServerClosed) {
-			log.Error("error in http handler", "error", err)
-		}
-	}(ln)
-
 	if s.runtimeConfig.Development {
 		ca := s.runtimeConfig.ACMECA
 		if ca == "" {
@@ -114,6 +91,21 @@ func (s *Server) serveTLS() (err error) {
 		}
 	}
 
+	ln, err := listenfd.GetListener(
+		1,
+		net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)),
+	)
+	if err != nil {
+		return errors.Wrap(err, "could not bind plain socket")
+	}
+
+	go func(ln net.Listener) {
+		s.redirectServer.Handler = issuer.HTTPChallengeHandler(s.redirectServer.Handler)
+		if err := s.redirectServer.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.Error("error in http handler", "error", err)
+		}
+	}(ln)
+
 	log.Debug(
 		"starting certmagic",
 		"http_port",