From a55feb46c62cc948d0959b71ccd744a665c9d4be Mon Sep 17 00:00:00 2001
From: Ben Nemec <bnemec@redhat.com>
Date: Thu, 25 Sep 2025 16:08:56 -0500
Subject: [PATCH 1/2] OCPBUGS-62232: Set -fin timeouts in HAProxy config

We have a bug where misbehaved clients are exhausting the connection
limits by starting a connection and abandoning it before it is even
established. Setting the client-fin timeout is a recommended option
to address this sort of situation. This patch also sets server-fin
in the interest of symmetry and avoiding any similar issues on the
server side.
---
 templates/master/00-master/on-prem/files/haproxy-haproxy.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml b/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
index db2b3dbf69..4efc3dd577 100644
--- a/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
+++ b/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
@@ -17,6 +17,8 @@ contents:
       timeout client       86400s
       timeout server       86400s
       timeout tunnel       86400s
+      timeout client-fin   1s
+      timeout server-fin   1s
     {{`{{- if gt (len .LBConfig.Backends) 0 }}`}}
     frontend  main
       bind :::{{`{{ .LBConfig.LbPort }}`}} v4v6

From 9399af9fc679242c6835144b2e30b198028f0f76 Mon Sep 17 00:00:00 2001
From: Ben Nemec <bnemec@redhat.com>
Date: Thu, 25 Sep 2025 16:20:47 -0500
Subject: [PATCH 2/2] Shorten HAProxy timeouts

I'm not sure why we set these to 24 hours in the first place, but
it doesn't match what we document in our sample UPI HAProxy config,
nor can I find any justification for why one would want such long
timeouts. This changes our client and server timeouts to be 1m,
matching the documented values. It also sets the tunnel timeout to
5m, which is not covered at all in the documentation but according
to HAProxy docs should generally be longer than other timeouts since
tunnel connection tend to be longer lived.
---
 .../master/00-master/on-prem/files/haproxy-haproxy.yaml     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml b/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
index 4efc3dd577..bec4da615d 100644
--- a/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
+++ b/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
@@ -14,9 +14,9 @@ contents:
       timeout http-request 30s
       timeout queue        1m
       timeout connect      10s
-      timeout client       86400s
-      timeout server       86400s
-      timeout tunnel       86400s
+      timeout client       1m
+      timeout server       1m
+      timeout tunnel       5m
       timeout client-fin   1s
       timeout server-fin   1s
     {{`{{- if gt (len .LBConfig.Backends) 0 }}`}}