From 3360dab76e64905e8d40aa36f0b2adff1afb24e3 Mon Sep 17 00:00:00 2001
From: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Date: Sat, 28 Mar 2026 15:58:48 +0100
Subject: [PATCH 1/2] server: Disable Echo v5's default WriteTimeout to fix
 truncated downloads

Echo v5 hardcodes a 30-second WriteTimeout on the HTTP server as
Slowloris mitigation. This is a wall-clock deadline, not an idle
timeout, so it kills streaming responses for large package files
regardless of throughput.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md |  4 ++++
 cmd/serve.go | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3bdb4e3..b0106ba 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased](https://github.com/ganto/pkgproxy/commits/HEAD/)
 
+### Fixed
+
+- Disable Echo v5's default 30-second `WriteTimeout` which killed streaming responses for large package files
+
 ## [v0.1.1](https://github.com/ganto/pkgproxy/releases/tag/v0.1.1) - 2026-03-25
 
 ### Added
diff --git a/cmd/serve.go b/cmd/serve.go
index 02a25e2..f27874e 100644
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"net/http"
 	"os"
 	"os/signal"
 	"runtime"
@@ -126,6 +127,16 @@ func startServer(_ *cobra.Command, _ []string) error {
 	sc := echo.StartConfig{
 		Address:    fmt.Sprintf("%s:%d", listenAddress, listenPort),
 		HideBanner: true,
+		BeforeServeFunc: func(s *http.Server) error {
+			// Echo v5 defaults WriteTimeout to 30s as Slowloris mitigation
+			// (GoSec G112). WriteTimeout is a hard wall-clock deadline from
+			// request header read to response completion, which cuts off
+			// streaming responses for large package files. If pkgproxy is
+			// exposed directly, use a reverse proxy (e.g. nginx) with
+			// appropriate timeouts for Slowloris protection.
+			s.WriteTimeout = 0
+			return nil
+		},
 	}
 	return sc.Start(ctx, app)
 }

From 717fede574ad69f8f6a33a6884c5ab259e0012fb Mon Sep 17 00:00:00 2001
From: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Date: Sat, 28 Mar 2026 16:00:21 +0100
Subject: [PATCH 2/2] Changelog: Prepare release v0.1.2

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b0106ba..a722df7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased](https://github.com/ganto/pkgproxy/commits/HEAD/)
 
+## [v0.1.2](https://github.com/ganto/pkgproxy/releases/tag/v0.1.2) - 2026-03-28
+
 ### Fixed
 
 - Disable Echo v5's default 30-second `WriteTimeout` which killed streaming responses for large package files