diff --git a/modules/ingress-controller-router-timeout.adoc b/modules/ingress-controller-router-timeout.adoc new file mode 100644 index 000000000000..0a5015624a99 --- /dev/null +++ b/modules/ingress-controller-router-timeout.adoc @@ -0,0 +1,53 @@ +// Module included in the following assemblies: +// +// * networking/ingress-operator.adoc + +:_mod-docs-content-type: REFERENCE +[id="ingress-controller-router-timeout_{context}"] += Ingress Controller router timeout variables + +[role="_abstract"] +To manage connection durations and optimize performance of your Ingress Controller, you can configure router timeout variables. These variables control how long the router waits for client responses, server data, or established connections before closing them. + +.Configuring a router timeout +`TimeUnits` are represented by a number followed by the unit: `us` *(microseconds), `ms` (milliseconds, default), `s` (seconds), `m` (minutes), `h` *(hours), `d` (days). + +The regular expression is: [1-9][0-9]*(`us`|`ms`|`s`|`m`|`h`|`d`). + +.Router timeout variables +[cols="2,1,2a", options="header"] +|=== +|Variable | Default | Description +| `ROUTER_BACKEND_CHECK_INTERVAL` | `5000ms` | Length of time between subsequent liveness checks on back ends. +| `ROUTER_CLIENT_FIN_TIMEOUT` | `1s` | Controls the TCP FIN timeout period for the client connecting to the route. If the FIN sent to close the connection does not answer within the given time, HAProxy closes the connection. This is harmless if set to a low value and uses fewer resources on the router. +| `ROUTER_DEFAULT_CLIENT_TIMEOUT` | `30s` | Length of time that a client has to acknowledge or send data. +| `ROUTER_DEFAULT_CONNECT_TIMEOUT` | `5s` | The maximum connection time. +| `ROUTER_DEFAULT_SERVER_FIN_TIMEOUT` | `1s` | Controls the TCP FIN timeout from the router to the pod backing the route. +| `ROUTER_DEFAULT_SERVER_TIMEOUT` | `30s` | Length of time that a server has to acknowledge or send data. +| `ROUTER_DEFAULT_TUNNEL_TIMEOUT` | `1h` | Length of time for TCP or WebSocket connections to remain open. This timeout period resets whenever HAProxy reloads. +| `ROUTER_SLOWLORIS_HTTP_KEEPALIVE` | `300s` | Set the maximum time to wait for a new HTTP request to appear. If this is set too low, it can cause problems with browsers and applications not expecting a small `keepalive` value. + +Some effective timeout values can be the sum of certain variables, rather than the specific expected timeout. For example, `ROUTER_SLOWLORIS_HTTP_KEEPALIVE` adjusts `timeout http-keep-alive`. It is set to `300s` by default, but HAProxy also waits on `tcp-request inspect-delay`, which is set to `5s`. In this case, the overall timeout would be `300s` plus `5s`. +| `ROUTER_SLOWLORIS_TIMEOUT` | `10s` | Length of time the transmission of an HTTP request can take. +| `RELOAD_INTERVAL` | `5s` | Allows the minimum frequency for the router to reload and accept new changes. +| `ROUTER_METRICS_HAPROXY_TIMEOUT` | `5s` | Timeout for the gathering of HAProxy metrics. + +|=== + +.A route setting custom timeout +[source,yaml] +---- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + annotations: + haproxy.router.openshift.io/timeout: 5500ms <1> +... +---- +<1> Specifies the new timeout with HAProxy supported units (`us`, `ms`, `s`, `m`, `h`, `d`). If the unit is not provided, `ms` is the default. + +[NOTE] +==== +Setting a server-side timeout value for passthrough routes too low can cause +WebSocket connections to timeout frequently on that route. +==== \ No newline at end of file diff --git a/networking/networking_operators/ingress-operator.adoc b/networking/networking_operators/ingress-operator.adoc index cccff58ee766..63e6ada55d6e 100644 --- a/networking/networking_operators/ingress-operator.adoc +++ b/networking/networking_operators/ingress-operator.adoc @@ -58,6 +58,10 @@ include::modules/nw-ingress-setting-a-custom-default-certificate.adoc[leveloffse include::modules/nw-ingress-custom-default-certificate-remove.adoc[leveloffset=+2] +ifndef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[] +include::modules/ingress-controller-router-timeout.adoc[leveloffset=+2] +endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[] + // Autoscaling an Ingress Controller include::modules/nw-autoscaling-ingress-controller.adoc[leveloffset=+2]