HTTP buffer filter
Set the maximum request body size that you want to accept for a particular workload in your cluster. If the size of the request body is larger than the size you specify, the ingress gateway rejects the request with a 413 HTTP response.
Due to a known issue in Envoy, the gateway does not reject requests with a request body size that is smaller or equal to 16384 Bytes (16 KB). For the policy to work properly, you must specify a maxRequestBytes
value of 16384 or greater.
If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.
Before you begin
This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started, and that your Kubernetes context is set to the cluster you store your Gloo config in (typically the management cluster). If you have different names, make sure to update the sample configuration files in this guide.
Follow the getting started instructions to:
- Set up Gloo Gateway in a single cluster.
- Deploy sample apps.
- Configure an HTTP listener on your gateway and set up basic routing for the sample apps.
Configure HTTP buffer filter policies
You can apply an HTTP buffer filter policy at the route level. For more information, see Applying policies.
Review the following sample configuration file.
apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: HTTPBufferPolicy
metadata:
name: buffer-filter
namespace: httpbin
spec:
applyToRoutes:
- route:
labels:
route: httpbin
config:
maxRequestBytes: 16384
Setting | Description |
---|---|
spec.applyToRoutes |
Use labels to configure which routes to apply the policy to. This example label matches the app and route from the example route table that you previously applied. If omitted, the policy applies to all routes in the workspace. |
spec.config.maxRequestBytes |
Specify the maximum size of the request body in bytes. Only requests with a body size that is smaller or equal to that size are accepted by the ingress gateway and forwarded to the workload in your cluster. If the request body size is larger than the specified size, the ingress gateway rejects the request with a 413 HTTP response code. Note that due to a known issue in Envoy, the gateway does not reject requests with a request body size that is smaller or equal to 16384 bytes (16 KB). For the policy to work properly, you must specify a maxRequestBytes value of 16384 or greater. |
Verify HTTP buffer filter policies
-
Create a file with a size of 16385 bytes.
for ((i=1;i<=16*1024+1;i++)); do echo -n "1" >> output.txt; done;
-
Send a
POST
request to the httpbin app and provide the file that you created as data input.curl -vik -X POST -H "X-httpbin: true" --data "@output.txt" --resolve www.example.com:80:${INGRESS_GW_IP} http://www.example.com:80/post
curl -vik -X POST -H "X-httpbin: true" --data "@output.txt" --resolve www.example.com:443:${INGRESS_GW_IP} https://www.example.com:443/post
Example output:... * We are completely uploaded and fine * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)! < HTTP/2 200 HTTP/2 200 < server: istio-envoy server: istio-envoy < date: Wed, 28 Dec 2022 19:23:15 GMT date: Wed, 28 Dec 2022 19:23:15 GMT < content-type: application/json content-type: application/json < content-length: 19192 content-length: 19192 ...
-
Apply the HTTP buffer filter policy to the httpbin app in your cluster. Note that this example sets the maximum request body size to 16 KB. Due to a bug in Envoy, this is the minimum size that must be set in order for the policy to work.
kubectl apply -f- <<EOF apiVersion: trafficcontrol.policy.gloo.solo.io/v2 kind: HTTPBufferPolicy metadata: name: buffer-filter namespace: httpbin spec: applyToRoutes: - route: labels: route: httpbin config: maxRequestBytes: 16384 EOF
-
Send another
POST
request to the httpbin app and provide the data file that you created earlier. The request is now rejected with a 413 HTTP response code, because the size of the request body exceeds themaximumRequestBytes
size that you specified in the HTTP buffer filter policy by 1 byte.curl -vik -X POST -H "X-httpbin: true" --data "@output.txt" --resolve www.example.com:80:${INGRESS_GW_IP} http://www.example.com:80/post
curl -vik -X POST -H "X-httpbin: true" --data "@output.txt" --resolve www.example.com:443:${INGRESS_GW_IP} https://www.example.com:443/post
Example output:
... * We are completely uploaded and fine * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)! < HTTP/2 413 HTTP/2 413 < content-length: 17 content-length: 17 < content-type: text/plain content-type: text/plain ...
Cleanup
You can optionally remove the resources that you created as part of this guide.
kubectl delete httpbufferpolicy buffer-filter -n httpbin
rm output.txt