Add connection backpressure and timeouts

Sources/NIOHTTPServer/Configuration/NIOHTTPServer+SwiftConfiguration.swift

@@ -65,7 +65,9 @@ extension NIOHTTPServerConfiguration {
                 config: snapshot.scoped(to: "transportSecurity"),
                 customCertificateVerificationCallback: customCertificateVerificationCallback
             ),
-            backpressureStrategy: .init(config: snapshot.scoped(to: "backpressureStrategy"))
+            backpressureStrategy: .init(config: snapshot.scoped(to: "backpressureStrategy")),
+            maxConnections: snapshot.int(forKey: "maxConnections"),
+            connectionTimeouts: .init(config: snapshot.scoped(to: "connectionTimeouts"))
         )
     }
 }
@@ -446,4 +448,29 @@ extension CertificateVerificationMode {
         }
     }
 }
+@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
+extension NIOHTTPServerConfiguration.ConnectionTimeouts {
+    /// Initialize connection timeouts configuration from a config reader.
+    ///
+    /// ## Configuration keys:
+    /// - `idle` (int, optional, default: 60): Maximum time in seconds a connection can remain idle.
+    ///   Set to `null` to disable.
+    /// - `readHeader` (int, optional, default: 30): Maximum time in seconds to receive request headers.
+    ///   Set to `null` to disable.
+    /// - `readBody` (int, optional, default: 60): Maximum time in seconds to receive the request body.
+    ///   Set to `null` to disable.
+    ///
+    /// - Parameter config: The configuration reader.
+    public init(config: ConfigSnapshotReader) {
+        self.init(
+            idle: config.int(forKey: "idle").map { .seconds($0) }
+                ?? Self.defaultIdle,
+            readHeader: config.int(forKey: "readHeader").map { .seconds($0) }
+                ?? Self.defaultReadHeader,
+            readBody: config.int(forKey: "readBody").map { .seconds($0) }
+                ?? Self.defaultReadBody
+        )
+    }
+}
+
 #endif  // Configuration

Sources/NIOHTTPServer/Configuration/NIOHTTPServerConfiguration.swift

@@ -230,6 +230,51 @@ public struct NIOHTTPServerConfiguration: Sendable {
         }
     }
 
+    /// Configuration for connection timeouts.
+    ///
+    /// Timeouts are enabled by default with reasonable values to protect against
+    /// slow or idle connections. Individual timeouts can be disabled by setting
+    /// them to `nil`.
+    public struct ConnectionTimeouts: Sendable {
+        /// Maximum time a connection can remain idle (no data read or written)
+        /// before being closed. `nil` means no idle timeout.
+        public var idle: Duration?
+
+        /// Maximum time allowed to receive the complete request headers
+        /// after a connection is established. `nil` means no timeout.
+        public var readHeader: Duration?
+
+        /// Maximum time allowed to receive the complete request body
+        /// after headers have been received. `nil` means no timeout.
+        public var readBody: Duration?
+
+        /// - Parameters:
+        ///   - idle: Maximum idle time before the connection is closed.
+        ///   - readHeader: Maximum time to receive request headers.
+        ///   - readBody: Maximum time to receive the request body.
+        public init(
+            idle: Duration? = Self.defaultIdle,
+            readHeader: Duration? = Self.defaultReadHeader,
+            readBody: Duration? = Self.defaultReadBody
+        ) {
+            self.idle = idle
+            self.readHeader = readHeader
+            self.readBody = readBody
+        }
+
+        @inlinable
+        static var defaultIdle: Duration? { .seconds(60) }
+
+        @inlinable
+        static var defaultReadHeader: Duration? { .seconds(30) }
+
+        @inlinable
+        static var defaultReadBody: Duration? { .seconds(60) }
+
+        /// Default timeout values: 60s idle, 30s read header, 60s read body.
+        public static var defaults: Self { .init() }
+    }
+
     /// Network binding configuration
     public var bindTarget: BindTarget
 
@@ -242,18 +287,31 @@ public struct NIOHTTPServerConfiguration: Sendable {
     /// Backpressure strategy to use in the server.
     public var backpressureStrategy: BackPressureStrategy
 
+    /// The maximum number of concurrent connections the server will accept.
+    ///
+    /// When this limit is reached, the server stops accepting new connections
+    /// until existing ones close. `nil` means unlimited (the default).
+    public var maxConnections: Int?
+
+    /// Configuration for connection timeouts.
+    public var connectionTimeouts: ConnectionTimeouts
+
     /// Create a new configuration.
     /// - Parameters:
     ///   - bindTarget: A ``BindTarget``.
     ///   - supportedHTTPVersions: The HTTP protocol versions the server should support.
     ///   - transportSecurity: The transport security mode (plaintext, TLS, or mTLS).
     ///   - backpressureStrategy: A ``BackPressureStrategy``.
     ///   Defaults to ``BackPressureStrategy/watermark(low:high:)`` with a low watermark of 2 and a high of 10.
+    ///   - maxConnections: The maximum number of concurrent connections. `nil` means unlimited.
+    ///   - connectionTimeouts: The connection timeout configuration.
     public init(
         bindTarget: BindTarget,
         supportedHTTPVersions: Set<HTTPVersion>,
         transportSecurity: TransportSecurity,
-        backpressureStrategy: BackPressureStrategy = .defaults
+        backpressureStrategy: BackPressureStrategy = .defaults,
+        maxConnections: Int? = nil,
+        connectionTimeouts: ConnectionTimeouts = .defaults
     ) throws {
         // If `transportSecurity`` is set to `.plaintext`, the server can only support HTTP/1.1.
         // To support HTTP/2, `transportSecurity` must be set to `.tls` or `.mTLS`.
@@ -267,10 +325,16 @@ public struct NIOHTTPServerConfiguration: Sendable {
             throw NIOHTTPServerConfigurationError.noSupportedHTTPVersionsSpecified
         }
 
+        if let maxConnections, maxConnections <= 0 {
+            throw NIOHTTPServerConfigurationError.invalidMaxConnections
+        }
+
         self.bindTarget = bindTarget
         self.supportedHTTPVersions = supportedHTTPVersions
         self.transportSecurity = transportSecurity
         self.backpressureStrategy = backpressureStrategy
+        self.maxConnections = maxConnections
+        self.connectionTimeouts = connectionTimeouts
     }
 }
 

Sources/NIOHTTPServer/Configuration/NIOHTTPServerConfigurationError.swift

@@ -16,6 +16,7 @@
 enum NIOHTTPServerConfigurationError: Error, CustomStringConvertible {
     case noSupportedHTTPVersionsSpecified
     case incompatibleTransportSecurity
+    case invalidMaxConnections
 
     var description: String {
         switch self {
@@ -24,6 +25,9 @@ enum NIOHTTPServerConfigurationError: Error, CustomStringConvertible {
 
         case .incompatibleTransportSecurity:
             "Invalid configuration: only HTTP/1.1 can be served over plaintext. `transportSecurity` must be set to (m)TLS for serving HTTP/2."
+
+        case .invalidMaxConnections:
+            "Invalid configuration: `maxConnections` must be greater than 0."
         }
     }
 }

Sources/NIOHTTPServer/ConnectionLimitHandler.swift

@@ -0,0 +1,62 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Swift HTTP Server open source project
+//
+// Copyright (c) 2026 Apple Inc. and the Swift HTTP Server project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of Swift HTTP Server project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import NIOCore
+
+/// A channel handler installed on the server (parent) channel that limits the
+/// number of concurrent connections by gating `read()` calls.
+///
+/// When the number of active connections reaches `maxConnections`, this handler
+/// stops forwarding `read()` events, which prevents NIO from calling `accept()`
+/// on the listening socket. When a connection closes and count drops below the
+/// limit, `read()` is re-triggered to resume accepting.
+final class ConnectionLimitHandler: ChannelDuplexHandler {
+    typealias InboundIn = Channel
+    typealias InboundOut = Channel
+    typealias OutboundIn = Channel
+
+    private let maxConnections: Int
+    private var activeConnections: Int = 0
+
+    init(maxConnections: Int) {
+        self.maxConnections = maxConnections
+    }
+
+    func channelRead(context: ChannelHandlerContext, data: NIOAny) {
+        let childChannel = self.unwrapInboundIn(data)
+        self.activeConnections += 1
+
+        let loopBoundSelf = NIOLoopBound(self, eventLoop: context.eventLoop)
+        let loopBoundContext = NIOLoopBound(context, eventLoop: context.eventLoop)
+        let eventLoop = context.eventLoop
+        childChannel.closeFuture.whenComplete { _ in
+            eventLoop.execute {
+                let `self` = loopBoundSelf.value
+                let context = loopBoundContext.value
+                self.activeConnections -= 1
+                if self.activeConnections <= self.maxConnections {
+                    context.read()
+                }
+            }
+        }
+
+        context.fireChannelRead(data)
+    }
+
+    func read(context: ChannelHandlerContext) {
+        if self.activeConnections <= self.maxConnections {
+            context.read()
+        }
+    }
+}

Sources/NIOHTTPServer/NIOHTTPServer+HTTP1_1.swift

@@ -52,6 +52,12 @@ extension NIOHTTPServer {
                         try channel.pipeline.syncOperations.addHandler(
                             self.serverQuiescingHelper.makeServerChannelHandler(channel: channel)
                         )
+
+                        if let maxConnections = self.configuration.maxConnections {
+                            try channel.pipeline.syncOperations.addHandler(
+                                ConnectionLimitHandler(maxConnections: maxConnections)
+                            )
+                        }
                     }
                 }
                 .bind(host: host, port: port) { channel in
@@ -77,6 +83,8 @@ extension NIOHTTPServer {
         channel.pipeline.configureHTTPServerPipeline().flatMapThrowing {
             try channel.pipeline.syncOperations.addHandler(HTTP1ToHTTPServerCodec(secure: false))
 
+            try self.addTimeoutHandlers(to: channel)
+
             return try NIOAsyncChannel<HTTPRequestPart, HTTPResponsePart>(
                 wrappingChannelSynchronously: channel,
                 configuration: asyncChannelConfiguration

Sources/NIOHTTPServer/NIOHTTPServer+SecureUpgrade.swift

@@ -97,6 +97,12 @@ extension NIOHTTPServer {
                         try channel.pipeline.syncOperations.addHandler(
                             self.serverQuiescingHelper.makeServerChannelHandler(channel: channel)
                         )
+
+                        if let maxConnections = self.configuration.maxConnections {
+                            try channel.pipeline.syncOperations.addHandler(
+                                ConnectionLimitHandler(maxConnections: maxConnections)
+                            )
+                        }
                     }
                 }
                 .bind(host: host, port: port) { channel in
@@ -120,6 +126,8 @@ extension NIOHTTPServer {
             channel.eventLoop.makeCompletedFuture {
                 try channel.pipeline.syncOperations.addHandler(HTTP1ToHTTPServerCodec(secure: true))
 
+                try self.addTimeoutHandlers(to: channel)
+
                 return try NIOAsyncChannel<HTTPRequestPart, HTTPResponsePart>(
                     wrappingChannelSynchronously: channel,
                     configuration: .init(
@@ -141,7 +149,10 @@ extension NIOHTTPServer {
         )
     > {
         channel.eventLoop.makeCompletedFuture {
-            try channel.pipeline.syncOperations.configureAsyncHTTP2Pipeline(
+            // Add idle timeout at the connection level for HTTP/2
+            try self.addIdleTimeoutHandlers(to: channel)
+
+            return try channel.pipeline.syncOperations.configureAsyncHTTP2Pipeline(
                 mode: .server,
                 connectionManagerConfiguration: .init(
                     maxIdleTime: nil,
@@ -158,6 +169,9 @@ extension NIOHTTPServer {
                                 HTTP2FramePayloadToHTTPServerCodec()
                             )
 
+                        // Add read header and body timeouts per-stream for HTTP/2
+                        try self.addReadTimeoutHandlers(to: http2StreamChannel)
+
                         return try NIOAsyncChannel<HTTPRequestPart, HTTPResponsePart>(
                             wrappingChannelSynchronously: http2StreamChannel,
                             configuration: .init(

Sources/NIOHTTPServer/NIOHTTPServer.swift

@@ -322,6 +322,64 @@ public struct NIOHTTPServer: HTTPServer {
             secureUpgradeChannel.channel.close(promise: nil)
         }
     }
+
+    /// Adds timeout handlers (idle, read header, read body) to a child channel pipeline.
+    ///
+    /// Only handlers for non-nil timeouts are installed. This is called for both
+    /// HTTP/1.1 per-connection channels and HTTP/2 per-stream channels.
+    func addTimeoutHandlers(to channel: any Channel) throws {
+        let timeouts = self.configuration.connectionTimeouts
+
+        if let idle = timeouts.idle {
+            let idleTimeAmount = TimeAmount(idle)
+            try channel.pipeline.syncOperations.addHandler(
+                IdleStateHandler(readTimeout: idleTimeAmount, writeTimeout: idleTimeAmount)
+            )
+            try channel.pipeline.syncOperations.addHandler(ConnectionIdleHandler())
+        }
+
+        if let readHeader = timeouts.readHeader {
+            try channel.pipeline.syncOperations.addHandler(
+                ReadHeaderTimeoutHandler(timeout: TimeAmount(readHeader))
+            )
+        }
+
+        if let readBody = timeouts.readBody {
+            try channel.pipeline.syncOperations.addHandler(
+                ReadBodyTimeoutHandler(timeout: TimeAmount(readBody))
+            )
+        }
+    }
+
+    /// Adds only idle timeout handlers to a channel. Used for HTTP/2 connection-level channels
+    /// where read header/body timeouts are handled per-stream.
+    func addIdleTimeoutHandlers(to channel: any Channel) throws {
+        if let idle = self.configuration.connectionTimeouts.idle {
+            let idleTimeAmount = TimeAmount(idle)
+            try channel.pipeline.syncOperations.addHandler(
+                IdleStateHandler(readTimeout: idleTimeAmount, writeTimeout: idleTimeAmount)
+            )
+            try channel.pipeline.syncOperations.addHandler(ConnectionIdleHandler())
+        }
+    }
+
+    /// Adds only read header and body timeout handlers to a channel. Used for HTTP/2 per-stream
+    /// channels where idle timeout is handled at the connection level.
+    func addReadTimeoutHandlers(to channel: any Channel) throws {
+        let timeouts = self.configuration.connectionTimeouts
+
+        if let readHeader = timeouts.readHeader {
+            try channel.pipeline.syncOperations.addHandler(
+                ReadHeaderTimeoutHandler(timeout: TimeAmount(readHeader))
+            )
+        }
+
+        if let readBody = timeouts.readBody {
+            try channel.pipeline.syncOperations.addHandler(
+                ReadBodyTimeoutHandler(timeout: TimeAmount(readBody))
+            )
+        }
+    }
 }
 
 @available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)