Skip to content

Add active_terminal_timeout and hard_timeout to session controller#128

Merged
antoncxx merged 2 commits into
mainfrom
feature/session-timeouts
Jun 23, 2026
Merged

Add active_terminal_timeout and hard_timeout to session controller#128
antoncxx merged 2 commits into
mainfrom
feature/session-timeouts

Conversation

@antoncxx

@antoncxx antoncxx commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds two new timeout axes to TimeoutController, closing two gaps in the current session expiry model:

  • TUNNEL_CONTROLLER_ACTIVE_TERMINAL_TIMEOUT — caps how long an active SSH/TTY/RD session can run from creation, regardless of user activity. Without this, a session with a connected terminal ran indefinitely. Also addresses the tab-switching false-idle problem: while a terminal is connected the idle clock is suspended entirely, and this new timeout provides the upper bound instead.
  • TUNNEL_CONTROLLER_HARD_TIMEOUT — absolute session lifetime from creation, not reset by reconnects. Without this, a session could persist indefinitely by reconnecting within the idle window.

Both default to unset (unbounded), so existing deployments are unaffected until the values are configured.

Environment variables

Variable Default Unit Description
TUNNEL_CONTROLLER_IDLE_TIMEOUT 300 seconds How long an inactive session survives after the last data event. Applies to all tunnel types when no terminal/viewer is connected.
TUNNEL_CONTROLLER_ACTIVE_TERMINAL_TIMEOUT unset seconds Maximum lifetime of a session while a terminal or viewer is actively connected, measured from tunnel creation. When unset, active sessions are unbounded. New.
TUNNEL_CONTROLLER_HARD_TIMEOUT unset seconds Absolute maximum session lifetime from creation. Not reset by activity or reconnects. Applies to all tunnel types at all times. When unset, no hard ceiling is enforced. New.
TUNNEL_CONTROLLER_AWAKE_INTERVAL 30 seconds How often the controller scans for expired tunnels. Unchanged.

Expiry logic per tunnel type

Tunnel Terminal/viewer connected No terminal/viewer
HTTP hard_timeout from creation idle_timeout from last access · hard_timeout from creation
SSH active_terminal_timeout from creation · hard_timeout from creation idle_timeout from last access · hard_timeout from creation
TTY active_terminal_timeout from creation · hard_timeout from creation idle_timeout from last access · hard_timeout from creation
RD active_terminal_timeout from creation · hard_timeout from creation idle_timeout from last access · hard_timeout from creation

Changes

Single file changed: wallguard-server/src/tunneling/timeout_controller.rs

Out of scope

  • Portal/UI configuration of timeouts — env vars only for now.
  • Collapsing the proxy-level 60 s Idle intermediate state — requires changes in the proxy layer outside the controller.

antoncxx added 2 commits June 23, 2026 18:38
Two new timeout axes, both configured via env vars and disabled by
default (unbounded):

- TUNNEL_CONTROLLER_ACTIVE_TERMINAL_TIMEOUT: caps active SSH/TTY/RD
  sessions from creation time, regardless of activity. Prevents the
  proxy idle timeout from killing a session mid-task when the user
  switches browser tabs.

- TUNNEL_CONTROLLER_HARD_TIMEOUT: absolute session lifetime from
  creation, not reset by reconnects. Closes the loophole where a
  session persists indefinitely by reconnecting within the idle window.

Existing env vars are unchanged:
- TUNNEL_CONTROLLER_IDLE_TIMEOUT (default 300s)
- TUNNEL_CONTROLLER_AWAKE_INTERVAL (default 30s)
@antoncxx antoncxx changed the title Feature/session timeouts Add active_terminal_timeout and hard_timeout to session controller Jun 23, 2026
@antoncxx antoncxx merged commit e2b8615 into main Jun 23, 2026
2 of 3 checks passed
@antoncxx antoncxx deleted the feature/session-timeouts branch June 23, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant