diff --git a/data/traefik.yml b/data/traefik.yml
index 238939e..25079c8 100644
--- a/data/traefik.yml
+++ b/data/traefik.yml
@@ -1,6 +1,15 @@
 entryPoints:
   http:
     address: ":80"
+    # Finite read timeout so abandoned/slowloris connections (constant on a
+    # public IP from internet scanners) are reaped instead of holding a file
+    # descriptor forever. Without it traefik leaks fds until accept() fails with
+    # EMFILE and the shard goes unreachable. 300s stays generous for slow/large
+    # uploads; writeTimeout is left at its default (0) so large downloads, SSE,
+    # and long-poll responses are not cut off.
+    transport:
+      respondingTimeouts:
+        readTimeout: "300s"
     http:
       redirections:
         entryPoint:
@@ -8,6 +17,9 @@ entryPoints:
           scheme: https
   https:
     address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: "300s"
   mqtt:
     address: ":8883"
 
diff --git a/data/traefik_no_ssl.yml b/data/traefik_no_ssl.yml
index 61348fd..d429b2a 100644
--- a/data/traefik_no_ssl.yml
+++ b/data/traefik_no_ssl.yml
@@ -1,6 +1,11 @@
 entryPoints:
   http:
     address: ":80"
+    # See traefik.yml: finite read timeout reaps abandoned/slowloris connections
+    # so traefik does not leak file descriptors until accept() hits EMFILE.
+    transport:
+      respondingTimeouts:
+        readTimeout: "300s"
   mqtt:
     address: ":8883"