From a55feb46c62cc948d0959b71ccd744a665c9d4be Mon Sep 17 00:00:00 2001
From: Ben Nemec <bnemec@redhat.com>
Date: Thu, 25 Sep 2025 16:08:56 -0500
Subject: [PATCH] OCPBUGS-62232: Set -fin timeouts in HAProxy config

We have a bug where misbehaved clients are exhausting the connection
limits by starting a connection and abandoning it before it is even
established. Setting the client-fin timeout is a recommended option
to address this sort of situation. This patch also sets server-fin
in the interest of symmetry and avoiding any similar issues on the
server side.
---
 templates/master/00-master/on-prem/files/haproxy-haproxy.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml b/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
index db2b3dbf69..4efc3dd577 100644
--- a/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
+++ b/templates/master/00-master/on-prem/files/haproxy-haproxy.yaml
@@ -17,6 +17,8 @@ contents:
       timeout client       86400s
       timeout server       86400s
       timeout tunnel       86400s
+      timeout client-fin   1s
+      timeout server-fin   1s
     {{`{{- if gt (len .LBConfig.Backends) 0 }}`}}
     frontend  main
       bind :::{{`{{ .LBConfig.LbPort }}`}} v4v6