HTTP buffer filter
Set the maximum request body size that you want to accept for a particular workload in your cluster.
If the size of the request body is larger than the size you specify, the ingress gateway rejects the request with a 413 HTTP response.
Due to a known issue in Envoy, the gateway does not reject requests with a request body size that is smaller or equal to 16384 Bytes (16 KB). For the policy to work properly, you must specify a maxRequestBytes
value of 16384 or greater.
If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.
Before you begin
This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.
- Set up Gloo Mesh Gateway in a single cluster.
- Install Bookinfo and other sample apps.
Configure an HTTP listener on your gateway and set up basic routing for the sample apps.
Get the external address of your ingress gateway. The steps vary depending on the type of load balancer that backs the ingress gateway.
```shell export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESS ```
Note: Depending on your environment, you might see
<pending>
instead of an external IP address. For example, if you are testing locally in kind or minikube, or if you have insufficient permissions in your cloud platform, you can instead port-forward the service port of the ingress gateway:kubectl -n gloo-mesh-gateways port-forward deploy/istio-ingressgateway-1-20 8081
Configure HTTP buffer filter policies
You can apply an HTTP buffer filter policy at the route level. For more information, see Applying policies.
Review the following sample configuration file.
apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: HTTPBufferPolicy
metadata:
name: buffer-filter
namespace: httpbin
spec:
applyToRoutes:
- route:
labels:
route: httpbin
config:
maxRequestBytes: 16384
Review the following table to understand this configuration. For more information, see the API docs.
Setting | Description |
---|---|
spec.applyToRoutes | Use labels to configure which routes to apply the policy to. This example label matches the app and route from the example route table that you apply separately. If omitted and you do not have another selector such as applyToDestinations , the policy applies to all routes in the workspace. |
spec.config.maxRequestBytes | Specify the maximum size of the request body in bytes. Only requests with a body size that is smaller or equal to that size are accepted by the ingress gateway and forwarded to the workload in your cluster. If the request body size is larger than the specified size, the ingress gateway rejects the request with a 413 HTTP response code. Note that due to a known issue in Envoy, the gateway does not reject requests with a request body size that is smaller or equal to 16384 bytes (16 KB). For the policy to work properly, you must specify a maxRequestBytes value of 16384 or greater. |
Verify HTTP buffer filter policies
Create a file with a size of 16385 bytes.
for ((i=1;i<=16*1024+1;i++)); do echo -n "1" >> output.txt; done;
Send a
POST
request to the httpbin app and provide the file that you created as data input.
Example output:... * We are completely uploaded and fine * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)! < HTTP/2 200 HTTP/2 200 < server: istio-envoy server: istio-envoy < date: Wed, 28 Dec 2022 19:23:15 GMT date: Wed, 28 Dec 2022 19:23:15 GMT < content-type: application/json content-type: application/json < content-length: 19192 content-length: 19192 ...
Apply the HTTP buffer filter policy to the httpbin app in your cluster. Note that this example sets the maximum request body size to 16 KB. Due to a bug in Envoy, this is the minimum size that must be set in order for the policy to work.
kubectl apply -f- <<EOF apiVersion: trafficcontrol.policy.gloo.solo.io/v2 kind: HTTPBufferPolicy metadata: name: buffer-filter namespace: httpbin spec: applyToRoutes: - route: labels: route: httpbin config: maxRequestBytes: 16384 EOF
Send another
POST
request to the httpbin app and provide the data file that you created earlier. The request is now rejected with a 413 HTTP response code, because the size of the request body exceeds themaximumRequestBytes
size that you specified in the HTTP buffer filter policy by 1 byte.Example output:
... * We are completely uploaded and fine * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)! < HTTP/2 413 HTTP/2 413 < content-length: 17 content-length: 17 < content-type: text/plain content-type: text/plain ...
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete httpbufferpolicy buffer-filter -n httpbin
rm output.txt