How can we set the ReadHeaderTimeout in Traefik to (somewhat) defend against Slowloris attacks?
For completeness sake:
nginx: client_header_timeout (default 60s)
Apache: mod_reqtimeout (unset by default)
IIS: headerWaitTimeout (default 00:00:00)
Looks like the one to use to me.
it does however include the body - which would make e.g. uploads a bit of a problem (for us at least) - right?
perfection would be a header-only timeout. but I believe the transport.respondingTimeouts.idleTimeout could be what we can use to deal - if I understand the attack correctly: