2021-04-20 14:33:45 +00:00
|
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
|
|
kind: EnvoyFilter
|
|
|
|
metadata:
|
2022-04-21 11:57:34 +00:00
|
|
|
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-hardening
|
2021-04-20 14:33:45 +00:00
|
|
|
namespace: {{ .Release.Namespace }}
|
2021-04-22 10:00:13 +00:00
|
|
|
labels:
|
2022-04-21 11:57:34 +00:00
|
|
|
{{ include "kubezero-lib.labels" . | nindent 4 }}
|
2021-04-20 14:33:45 +00:00
|
|
|
spec:
|
2022-04-21 11:57:34 +00:00
|
|
|
workloadSelector:
|
|
|
|
labels:
|
|
|
|
{{- include "gatewaySelectorLabels" . | nindent 6 }}
|
2021-04-20 14:33:45 +00:00
|
|
|
configPatches:
|
|
|
|
- applyTo: CLUSTER
|
|
|
|
patch:
|
|
|
|
operation: MERGE
|
|
|
|
value:
|
|
|
|
connect_timeout: 15s
|
|
|
|
per_connection_buffer_limit_bytes: 32768 # 32 KiB
|
|
|
|
- applyTo: NETWORK_FILTER
|
|
|
|
match:
|
|
|
|
listener:
|
|
|
|
filterChain:
|
|
|
|
filter:
|
|
|
|
name: "envoy.filters.network.http_connection_manager"
|
|
|
|
patch:
|
|
|
|
operation: MERGE
|
|
|
|
value:
|
|
|
|
name: "envoy.filters.network.http_connection_manager"
|
|
|
|
typed_config:
|
|
|
|
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
|
2023-11-15 14:39:02 +00:00
|
|
|
stat_prefix: ingress_http
|
|
|
|
use_remote_address: true
|
|
|
|
normalize_path: true
|
|
|
|
merge_slashes: true
|
|
|
|
path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
|
2021-04-20 14:33:45 +00:00
|
|
|
common_http_protocol_options:
|
|
|
|
idle_timeout: 3600s # 1 hour
|
2023-11-22 17:51:09 +00:00
|
|
|
headers_with_underscores_action: REJECT_REQUEST
|
2021-04-20 14:33:45 +00:00
|
|
|
http2_protocol_options:
|
2023-11-15 14:39:02 +00:00
|
|
|
max_concurrent_streams: 100
|
2021-04-20 14:33:45 +00:00
|
|
|
initial_stream_window_size: 65536 # 64 KiB
|
|
|
|
initial_connection_window_size: 1048576 # 1 MiB
|
|
|
|
#stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
|
|
|
|
#request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
|