HTTP buffer filter

Set the maximum request body size that you want to accept for a particular workload in your cluster. If the size of the request body is larger than the size you specify, the ingress gateway rejects the request with a 413 HTTP response.

Due to a known issue in Envoy, the gateway does not reject requests with a request body size that is smaller or equal to 16384 Bytes (16 KB). For the policy to work properly, you must specify a maxRequestBytes value of 16384 or greater.

If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.

Before you begin

This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started, and that your Kubernetes context is set to the cluster you store your Gloo config in (typically the management cluster). If you have different names, make sure to update the sample configuration files in this guide.

Follow the getting started instructions to:

  1. Set up Gloo Gateway in a single cluster.
  2. Deploy sample apps.
  3. Configure an HTTP listener on your gateway and set up basic routing for the sample apps.

Configure HTTP buffer filter policies

You can apply an HTTP buffer filter policy at the route level. For more information, see Applying policies.

Review the following sample configuration file.

apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: HTTPBufferPolicy
metadata:
  name: buffer-filter
  namespace: httpbin
spec:
  applyToRoutes:
  - route:
      labels:
        route: httpbin
  config:
    maxRequestBytes: 16384
Review the following table to understand this configuration.
Setting Description
spec.applyToRoutes Use labels to configure which routes to apply the policy to. This example label matches the app and route from the example route table that you apply separately. If omitted and you do not have another selector such as applyToDestinations, the policy applies to all routes in the workspace.
spec.config.maxRequestBytes Specify the maximum size of the request body in bytes. Only requests with a body size that is smaller or equal to that size are accepted by the ingress gateway and forwarded to the workload in your cluster. If the request body size is larger than the specified size, the ingress gateway rejects the request with a 413 HTTP response code. Note that due to a known issue in Envoy, the gateway does not reject requests with a request body size that is smaller or equal to 16384 bytes (16 KB). For the policy to work properly, you must specify a maxRequestBytes value of 16384 or greater.

Verify HTTP buffer filter policies

  1. Create a file with a size of 16385 bytes.

    for ((i=1;i<=16*1024+1;i++)); do echo -n "1" >> output.txt; done;
    
  2. Send a POST request to the httpbin app and provide the file that you created as data input.

    curl -vik -X POST -H "X-httpbin: true" --data "@output.txt"  --resolve www.example.com:80:${INGRESS_GW_IP} http://www.example.com:80/post
    
    curl -vik -X POST -H "X-httpbin: true" --data "@output.txt"  --resolve www.example.com:443:${INGRESS_GW_IP} https://www.example.com:443/post
    

    Example output:

    ...
    * We are completely uploaded and fine
    * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
    < HTTP/2 200 
    HTTP/2 200 
    < server: istio-envoy
    server: istio-envoy
    < date: Wed, 28 Dec 2022 19:23:15 GMT
    date: Wed, 28 Dec 2022 19:23:15 GMT
    < content-type: application/json
    content-type: application/json
    < content-length: 19192
    content-length: 19192
    ...
    
  3. Apply the HTTP buffer filter policy to the httpbin app in your cluster. Note that this example sets the maximum request body size to 16 KB. Due to a bug in Envoy, this is the minimum size that must be set in order for the policy to work.

    kubectl apply -f- <<EOF
    apiVersion: trafficcontrol.policy.gloo.solo.io/v2
    kind: HTTPBufferPolicy
    metadata:
      name: buffer-filter
      namespace: httpbin
    spec:
      applyToRoutes:
      - route:
          labels:
            route: httpbin
      config:
        maxRequestBytes: 16384
    EOF
    
  4. Send another POST request to the httpbin app and provide the data file that you created earlier. The request is now rejected with a 413 HTTP response code, because the size of the request body exceeds the maximumRequestBytes size that you specified in the HTTP buffer filter policy by 1 byte.

    curl -vik -X POST -H "X-httpbin: true" --data "@output.txt"  --resolve www.example.com:80:${INGRESS_GW_IP} http://www.example.com:80/post
    
    curl -vik -X POST -H "X-httpbin: true" --data "@output.txt"  --resolve www.example.com:443:${INGRESS_GW_IP} https://www.example.com:443/post
    

    Example output:

    ...
    * We are completely uploaded and fine
    * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
    < HTTP/2 413 
    HTTP/2 413 
    < content-length: 17
    content-length: 17
    < content-type: text/plain
    content-type: text/plain
    ...
    

Cleanup

You can optionally remove the resources that you set up as part of this guide.
kubectl delete httpbufferpolicy buffer-filter -n httpbin
rm output.txt