Fine-tune connection speeds for read and write operations by setting a connection buffer limit.

About read and write buffer limits

By default, Gloo Gateway is set up with 1MiB of request read and write buffer for each gateway. For large requests that must be buffered and that exceed the default buffer limit, Gloo Gateway either disconnects the connection to the downstream service if headers were already sent, or returns a 413 HTTP response code. To make sure that large requests can be sent and received, you can specify the maximum number of bytes that can be buffered between the gateway and the downstream service. Alternatively, when using Gloo Gateway as an edge proxy, configuring the buffer limit can be important when dealing with untrusted downstreams. By setting the limit to a small number, such as 32KiB, you can better guard against potential attacks or misconfigured downstreams that could excessively use the proxy’s resources.

The connection buffer limit can be configured on the Gateway levelor on an individual route.

Considerations when using httpbin

When you use the httpbin sample app, keep in mind that httpbin limits the maximum body size to 1 mebibyte (1Mi). If you send a request to httpbin with a body size that is larger than that, httpbin automatically rejects the request with a 400 HTTP response code.

Before you begin

  1. Follow the Get started guide to install Gloo Gateway.

  2. Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.

  3. Get the external address of the gateway and save it in an environment variable.

      export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS  
  
      kubectl port-forward deployment/http -n gloo-system 8080:8080

Set up buffer limits per gateway

Use an annotation to set a per-connection buffer limit on your Gateway, which applies the buffer limit to all routes served by the Gateway.

  1. Create a GlooTrafficPolicy called transformation-buffer-body that forces buffering by transforming the response from the httpbin sample app.

      kubectl apply -f- <<EOF
apiVersion: gloo.solo.io/v1alpha1
kind: GlooTrafficPolicy
metadata:
  name: transformation-buffer-body
  namespace: httpbin
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin
  transformation:
    response:
      body:
        parseAs: AsString
        value: '{{ body() }}'
EOF

  2. Annotate the http Gateway resource to set a buffer limit of 1 kilobytes.

      kubectl apply -f- <<EOF
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: http
  namespace: gloo-system
  annotations:
    kgateway.dev/per-connection-buffer-limit: '1Ki'
spec:
  gatewayClassName: gloo-gateway-v2
  listeners:
  - protocol: HTTP
    port: 8080
    name: http
    allowedRoutes:
      namespaces:
        from: All
EOF

  3. To test the buffer limit, create a payload in a temp file that exceeds the 1Ki buffer limit.

      dd if=/dev/zero bs=2048 count=1 | base64 -w 0 > /tmp/large_payload_2k.txt

  4. Send a request to the /anything httpbin path with the large payload. Verify that the request fails with a connection error or timeout, indicating that the buffer limit was exceeded.

      curl -vik -X POST http://$INGRESS_GW_ADDRESS:8080/anything \
-H "host: www.example.com:8080" \
-H "Content-Type: text/plain" \
-d "{\"payload\": \"$(< /tmp/large_payload_2k.txt)\"}"
  
      curl -vik -X POST http://localhost:8080/anything \
-H "host: www.example.com:8080" \
-H "Content-Type: text/plain" \
-d "{\"payload\": \"$(< /tmp/large_payload_2k.txt)\"}"

    Example output:

      * upload completely sent off: 2747 bytes
< HTTP/1.1 413 Payload Too Large
HTTP/1.1 413 Payload Too Large
< access-control-allow-credentials: true
access-control-allow-credentials: true
< access-control-allow-origin: *
access-control-allow-origin: *
< x-envoy-upstream-service-time: 1
x-envoy-upstream-service-time: 1
< content-length: 17
content-length: 17
< server: envoy
server: envoy

  5. Test the buffer limit again by sending a request with a small payload, "hello world". This request succeeds with a normal response from httpbin because the payload size is within the 1Ki limit.

      curl -vik -X POST http://$INGRESS_GW_ADDRESS:8080/anything \
   -H "host: www.example.com:8080" \
   -H "Content-Type: application/json" \
   -d "{\"payload\":  \"hello world\"}" 
  
      curl -vik -X POST http://localhost:8080/anything \
   -H "host: www.example.com:8080" \
   -H "Content-Type: application/json" \
   -d "{\"payload\":  \"hello world\"}"

    Example output:

      * upload completely sent off: 27 bytes
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
...
  "url": "http://www.example.com:8080/anything",
  "data": "{\"payload\":  \"hello world\"}",
  "files": null,
  "form": null,
  "json": {
    "payload": "hello world"
  }
}

Set up buffer limits per route

You can configure connection buffer limits using a GlooTrafficPolicy to control how much data can be buffered per connection at the level of individual routes. This can provide more fine-grained control than applying the buffer limit at the Gateway, or can provide a method of overriding a buffer limit at the level of the Gateway.

  1. If you did not already, create a GlooTrafficPolicy called transformation-buffer-body that forces buffering by transforming the response from the httpbin sample app.

      kubectl apply -f- <<EOF
apiVersion: gloo.solo.io/v1alpha1
kind: GlooTrafficPolicy
metadata:
  name: transformation-buffer-body
  namespace: httpbin
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin
  transformation:
    response:
      body:
        parseAs: AsString
        value: '{{ body() }}'
EOF

  2. If you previously added the kgateway.dev/per-connection-buffer-limit annotation to the Gateway, remove that annotation.

      kubectl apply -f- <<EOF
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: http
  namespace: gloo-system
spec:
  gatewayClassName: gloo-gateway-v2
  listeners:
  - protocol: HTTP
    port: 8080
    name: http
    allowedRoutes:
      namespaces:
        from: All
EOF

  3. In a separate GlooTrafficPolicy, apply a buffer limit of maxRequestSize: '1024' to the httpbin app. This setting limits the request payload to 1024 bytes.

      kubectl apply -f- <<EOF
apiVersion: gloo.solo.io/v1alpha1
kind: GlooTrafficPolicy
metadata:
  name: transformation-buffer-limit
  namespace: httpbin
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin
  buffer:
    maxRequestSize: '1024'
EOF

  4. To test the buffer limit, create a payload in a temp file that exceeds the 1Ki buffer limit.

      dd if=/dev/zero bs=2048 count=1 | base64 -w 0 > /tmp/large_payload_2k.txt

  5. Send a request to the /anything httpbin path with the large payload. Verify that the request fails with a connection error or timeout, indicating that the buffer limit was exceeded.

      curl -vik -X POST http://$INGRESS_GW_ADDRESS:8080/anything \
-H "host: www.example.com:8080" \
-H "Content-Type: text/plain" \
-d "{\"payload\": \"$(< /tmp/large_payload_2k.txt)\"}"
  
      curl -vik -X POST http://localhost:8080/anything \
-H "host: www.example.com:8080" \
-H "Content-Type: text/plain" \
-d "{\"payload\": \"$(< /tmp/large_payload_2k.txt)\"}"

  6. Test the buffer limit again by sending a request with a small payload, "hello world". This request succeeds with a normal response from httpbin because the payload size is within the 2Ki limit.

      curl -vik -X POST http://$INGRESS_GW_ADDRESS:8080/anything \
   -H "host: www.example.com:8080" \
   -H "Content-Type: application/json" \
   -d "{\"payload\":  \"hello world\"}" 
  
      curl -vik -X POST http://localhost:8080/anything \
   -H "host: www.example.com:8080" \
   -H "Content-Type: application/json" \
   -d "{\"payload\":  \"hello world\"}"

    Example output:

      {
  "args": {},
  "data": "{\"payload\": \"hello world\"}",
  "files": {},
  "form": {},
  "headers": {
    ...
  },
  "json": {
    "payload": "hello world"
  },
  "method": "POST",
  "origin": "...",
  "url": "https://$INGRESS_GW_ADDRESS:8080/anything"
}

Cleanup

You can remove the resources that you created in this guide.

  1. Delete the GlooTrafficPolicy resources.

      kubectl delete GlooTrafficPolicy transformation-buffer-body -n httpbin 
kubectl delete GlooTrafficPolicy transformation-buffer-limit -n httpbin

  2. Remove the buffer limit annotation from the http Gateway resource.

      kubectl apply -f- <<EOF
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: http
  namespace: gloo-system
spec:
  gatewayClassName: gloo-gateway-v2
  listeners:
  - protocol: HTTP
    port: 8080
    name: http
    allowedRoutes:
      namespaces:
        from: All
EOF