From 672bf9968cfcfd5cb74aeb80c2668daf95505b81 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Mon, 12 Aug 2019 21:12:36 +0000 Subject: [PATCH 01/20] docs: Can I use Envoy as a front-end proxy? Signed-off-by: Piotr Sikora --- docs/root/faq/edge.rst | 85 ++++++++++++++++++++++++++++++++++++++ docs/root/faq/overview.rst | 1 + 2 files changed, 86 insertions(+) create mode 100644 docs/root/faq/edge.rst diff --git a/docs/root/faq/edge.rst b/docs/root/faq/edge.rst new file mode 100644 index 000000000000..ab1ec17027bf --- /dev/null +++ b/docs/root/faq/edge.rst @@ -0,0 +1,85 @@ +.. _faq_edge: + +Can I use Envoy as an edge proxy? +================================= + +Envoy is a production-ready edge proxy, and performs well in that role, however, +the default settings are tailored for the service mesh use case, and some values +need to be adjusted when using Envoy as an edge proxy. + +TCP proxies should configure: :ref:`overload_manager `, +:ref:`listener buffer limits ` to 32,768 bytes +and :ref:`cluster buffer limits ` to 32,768 bytes. + +HTTP proxies should additionally configure: +:ref:`use_remote_address ` to true, +and HTTP/2 settings (e.g. +:ref:`HTTP/2 maximum concurrent streams limit ` to 100, +:ref:`HTTP/2 initial stream window size limit ` to 65,535 bytes, +and :ref:`HTTP/2 initial connection window size limit ` to 1,048,576 bytes). + +The following is a YAML example of the above recommendation. + +.. code-block:: yaml + + overload_manager: + refresh_interval: + seconds: 0 + nanos: 250000000 # 0.25s + resource_monitors: + - name: "envoy.resource_monitors.fixed_heap" + config: + # TODO: Tune for your system. + max_heap_size_bytes: 2147483648 # 2GB + actions: + - name: "envoy.overload_actions.stop_accepting_requests" + triggers: + - name: "envoy.resource_monitors.fixed_heap" + threshold: + value: 0.95 + + static_resources: + listeners: + - address: + socket_address: { address: 127.0.0.1, port_value: 443 } + listener_filters: + - name: "envoy.listener.tls_inspector" + typed_config: {} + per_connection_buffer_limit_bytes: 32768 # 32kB + filter_chains: + - filter_chain_match: + server_names: ["example.com", "www.example.com"] + tls_context: + common_tls_context: + tls_certificates: + - certificate_chain: { filename: "example_com_cert.pem" } + private_key: { filename: "example_com_key.pem" } + filters: + - name: envoy.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager + stat_prefix: ingress_http + use_remote_address: true + http2_protocol_options: + max_concurrent_streams: 100 + initial_stream_window_size: 65535 # 64kB + initial_connection_window_size: 1048576 # 1MB + route_config: + virtual_hosts: + - name: default + domains: "*" + routes: + - match: { prefix: "/" } + route: { cluster: service_foo } + clusters: + name: service_foo + connect_timeout: 15s + per_connection_buffer_limit_bytes: 32768 # 32kB + hosts: + socket_address: + address: 127.0.0.1 + port_value: 8080 + http2_protocol_options: + max_concurrent_streams: 100 + initial_stream_window_size: 65535 # 64kB + initial_connection_window_size: 1048576 # 1MB diff --git a/docs/root/faq/overview.rst b/docs/root/faq/overview.rst index 0fe96c0fd675..9815bc0014a7 100644 --- a/docs/root/faq/overview.rst +++ b/docs/root/faq/overview.rst @@ -8,6 +8,7 @@ FAQ how_fast_is_envoy binaries + edge sni zone_aware_routing zipkin_tracing From 26c74c6c208987dac837bc0eba913189c8e4ae38 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Mon, 14 Oct 2019 00:59:45 +0000 Subject: [PATCH 02/20] review: move from FAQ to Best Practices. Signed-off-by: Piotr Sikora --- .../configuration/best_practices/edge.rst | 84 +++++++++++++++++- docs/root/faq/edge.rst | 85 ------------------- docs/root/faq/overview.rst | 1 - 3 files changed, 82 insertions(+), 88 deletions(-) delete mode 100644 docs/root/faq/edge.rst diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 22940fcdc978..fd41c3987856 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -1,5 +1,85 @@ +.. _best_practices_edge: + Configuring Envoy for the edge ============================== -This document describes best practices for configuring Envoy for the edge. It is currently a -work-in-progress +Envoy is a production-ready edge proxy, and performs well in that role, however, +the default settings are tailored for the service mesh use case, and some values +need to be adjusted when using Envoy as an edge proxy. + +TCP proxies should configure: :ref:`overload_manager `, +:ref:`listener buffer limits ` to 32,768 bytes +and :ref:`cluster buffer limits ` to 32,768 bytes. + +HTTP proxies should additionally configure: +:ref:`use_remote_address ` to true, +and HTTP/2 settings (e.g. +:ref:`HTTP/2 maximum concurrent streams limit ` to 100, +:ref:`HTTP/2 initial stream window size limit ` to 65,535 bytes, +and :ref:`HTTP/2 initial connection window size limit ` to 1,048,576 bytes). + +The following is a YAML example of the above recommendation. + +.. code-block:: yaml + + overload_manager: + refresh_interval: + seconds: 0 + nanos: 250000000 # 0.25s + resource_monitors: + - name: "envoy.resource_monitors.fixed_heap" + config: + # TODO: Tune for your system. + max_heap_size_bytes: 2147483648 # 2GB + actions: + - name: "envoy.overload_actions.stop_accepting_requests" + triggers: + - name: "envoy.resource_monitors.fixed_heap" + threshold: + value: 0.95 + + static_resources: + listeners: + - address: + socket_address: { address: 127.0.0.1, port_value: 443 } + listener_filters: + - name: "envoy.listener.tls_inspector" + typed_config: {} + per_connection_buffer_limit_bytes: 32768 # 32kB + filter_chains: + - filter_chain_match: + server_names: ["example.com", "www.example.com"] + tls_context: + common_tls_context: + tls_certificates: + - certificate_chain: { filename: "example_com_cert.pem" } + private_key: { filename: "example_com_key.pem" } + filters: + - name: envoy.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager + stat_prefix: ingress_http + use_remote_address: true + http2_protocol_options: + max_concurrent_streams: 100 + initial_stream_window_size: 65535 # 64kB + initial_connection_window_size: 1048576 # 1MB + route_config: + virtual_hosts: + - name: default + domains: "*" + routes: + - match: { prefix: "/" } + route: { cluster: service_foo } + clusters: + name: service_foo + connect_timeout: 15s + per_connection_buffer_limit_bytes: 32768 # 32kB + hosts: + socket_address: + address: 127.0.0.1 + port_value: 8080 + http2_protocol_options: + max_concurrent_streams: 100 + initial_stream_window_size: 65535 # 64kB + initial_connection_window_size: 1048576 # 1MB diff --git a/docs/root/faq/edge.rst b/docs/root/faq/edge.rst deleted file mode 100644 index ab1ec17027bf..000000000000 --- a/docs/root/faq/edge.rst +++ /dev/null @@ -1,85 +0,0 @@ -.. _faq_edge: - -Can I use Envoy as an edge proxy? -================================= - -Envoy is a production-ready edge proxy, and performs well in that role, however, -the default settings are tailored for the service mesh use case, and some values -need to be adjusted when using Envoy as an edge proxy. - -TCP proxies should configure: :ref:`overload_manager `, -:ref:`listener buffer limits ` to 32,768 bytes -and :ref:`cluster buffer limits ` to 32,768 bytes. - -HTTP proxies should additionally configure: -:ref:`use_remote_address ` to true, -and HTTP/2 settings (e.g. -:ref:`HTTP/2 maximum concurrent streams limit ` to 100, -:ref:`HTTP/2 initial stream window size limit ` to 65,535 bytes, -and :ref:`HTTP/2 initial connection window size limit ` to 1,048,576 bytes). - -The following is a YAML example of the above recommendation. - -.. code-block:: yaml - - overload_manager: - refresh_interval: - seconds: 0 - nanos: 250000000 # 0.25s - resource_monitors: - - name: "envoy.resource_monitors.fixed_heap" - config: - # TODO: Tune for your system. - max_heap_size_bytes: 2147483648 # 2GB - actions: - - name: "envoy.overload_actions.stop_accepting_requests" - triggers: - - name: "envoy.resource_monitors.fixed_heap" - threshold: - value: 0.95 - - static_resources: - listeners: - - address: - socket_address: { address: 127.0.0.1, port_value: 443 } - listener_filters: - - name: "envoy.listener.tls_inspector" - typed_config: {} - per_connection_buffer_limit_bytes: 32768 # 32kB - filter_chains: - - filter_chain_match: - server_names: ["example.com", "www.example.com"] - tls_context: - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "example_com_cert.pem" } - private_key: { filename: "example_com_key.pem" } - filters: - - name: envoy.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager - stat_prefix: ingress_http - use_remote_address: true - http2_protocol_options: - max_concurrent_streams: 100 - initial_stream_window_size: 65535 # 64kB - initial_connection_window_size: 1048576 # 1MB - route_config: - virtual_hosts: - - name: default - domains: "*" - routes: - - match: { prefix: "/" } - route: { cluster: service_foo } - clusters: - name: service_foo - connect_timeout: 15s - per_connection_buffer_limit_bytes: 32768 # 32kB - hosts: - socket_address: - address: 127.0.0.1 - port_value: 8080 - http2_protocol_options: - max_concurrent_streams: 100 - initial_stream_window_size: 65535 # 64kB - initial_connection_window_size: 1048576 # 1MB diff --git a/docs/root/faq/overview.rst b/docs/root/faq/overview.rst index 9815bc0014a7..0fe96c0fd675 100644 --- a/docs/root/faq/overview.rst +++ b/docs/root/faq/overview.rst @@ -8,7 +8,6 @@ FAQ how_fast_is_envoy binaries - edge sni zone_aware_routing zipkin_tracing From b11be8b4caa7b30bb17812c8244297af5b8373f2 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Mon, 14 Oct 2019 01:02:07 +0000 Subject: [PATCH 03/20] review: use KiB, MiB, GiB. Signed-off-by: Piotr Sikora --- .../configuration/best_practices/edge.rst | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index fd41c3987856..39483b803e24 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -8,15 +8,15 @@ the default settings are tailored for the service mesh use case, and some values need to be adjusted when using Envoy as an edge proxy. TCP proxies should configure: :ref:`overload_manager `, -:ref:`listener buffer limits ` to 32,768 bytes -and :ref:`cluster buffer limits ` to 32,768 bytes. +:ref:`listener buffer limits ` to 32 KiB +and :ref:`cluster buffer limits ` to 32 KiB. HTTP proxies should additionally configure: :ref:`use_remote_address ` to true, and HTTP/2 settings (e.g. :ref:`HTTP/2 maximum concurrent streams limit ` to 100, -:ref:`HTTP/2 initial stream window size limit ` to 65,535 bytes, -and :ref:`HTTP/2 initial connection window size limit ` to 1,048,576 bytes). +:ref:`HTTP/2 initial stream window size limit ` to 64 KiB, +and :ref:`HTTP/2 initial connection window size limit ` to 1 MiB). The following is a YAML example of the above recommendation. @@ -30,7 +30,7 @@ The following is a YAML example of the above recommendation. - name: "envoy.resource_monitors.fixed_heap" config: # TODO: Tune for your system. - max_heap_size_bytes: 2147483648 # 2GB + max_heap_size_bytes: 2147483648 # 2 GiB actions: - name: "envoy.overload_actions.stop_accepting_requests" triggers: @@ -45,7 +45,7 @@ The following is a YAML example of the above recommendation. listener_filters: - name: "envoy.listener.tls_inspector" typed_config: {} - per_connection_buffer_limit_bytes: 32768 # 32kB + per_connection_buffer_limit_bytes: 32768 # 32 KiB filter_chains: - filter_chain_match: server_names: ["example.com", "www.example.com"] @@ -62,8 +62,8 @@ The following is a YAML example of the above recommendation. use_remote_address: true http2_protocol_options: max_concurrent_streams: 100 - initial_stream_window_size: 65535 # 64kB - initial_connection_window_size: 1048576 # 1MB + initial_stream_window_size: 65536 # 64 KiB + initial_connection_window_size: 1048576 # 1 MiB route_config: virtual_hosts: - name: default @@ -74,12 +74,12 @@ The following is a YAML example of the above recommendation. clusters: name: service_foo connect_timeout: 15s - per_connection_buffer_limit_bytes: 32768 # 32kB + per_connection_buffer_limit_bytes: 32768 # 32 KiB hosts: socket_address: address: 127.0.0.1 port_value: 8080 http2_protocol_options: max_concurrent_streams: 100 - initial_stream_window_size: 65535 # 64kB - initial_connection_window_size: 1048576 # 1MB + initial_stream_window_size: 65536 # 64 KiB + initial_connection_window_size: 1048576 # 1 MiB From 5a7592fba76eba058385b5585c093e005769ee9a Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Mon, 14 Oct 2019 01:03:01 +0000 Subject: [PATCH 04/20] review: refresh_interval: 0.25s. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 39483b803e24..8164281b77e5 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -23,9 +23,7 @@ The following is a YAML example of the above recommendation. .. code-block:: yaml overload_manager: - refresh_interval: - seconds: 0 - nanos: 250000000 # 0.25s + refresh_interval: 0.25s resource_monitors: - name: "envoy.resource_monitors.fixed_heap" config: From 79f42f55013665582e933e89e6a390ee9437d7af Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Mon, 14 Oct 2019 01:04:34 +0000 Subject: [PATCH 05/20] review: add envoy.overload_actions.shrink_heap. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 8164281b77e5..5f15bedb9f2b 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -30,11 +30,16 @@ The following is a YAML example of the above recommendation. # TODO: Tune for your system. max_heap_size_bytes: 2147483648 # 2 GiB actions: - - name: "envoy.overload_actions.stop_accepting_requests" + - name: "envoy.overload_actions.shrink_heap" triggers: - name: "envoy.resource_monitors.fixed_heap" threshold: value: 0.95 + - name: "envoy.overload_actions.stop_accepting_requests" + triggers: + - name: "envoy.resource_monitors.fixed_heap" + threshold: + value: 0.98 static_resources: listeners: From 258e04817dbd9fe337cc5e955ec7b11ebe3b037c Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Mon, 14 Oct 2019 01:06:16 +0000 Subject: [PATCH 06/20] review: add idle_timeout: 840s. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 5f15bedb9f2b..6a7fde1061bd 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -63,6 +63,8 @@ The following is a YAML example of the above recommendation. "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager stat_prefix: ingress_http use_remote_address: true + common_http_protocol_options: + idle_timeout: 840s http2_protocol_options: max_concurrent_streams: 100 initial_stream_window_size: 65536 # 64 KiB From 10c2a9071a96c17c10b7606ba7dd74de0102422f Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Mon, 14 Oct 2019 01:54:14 +0000 Subject: [PATCH 07/20] review: explain use_remote_address: true. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 6a7fde1061bd..09876e0f351c 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -12,7 +12,8 @@ TCP proxies should configure: :ref:`overload_manager `, and :ref:`cluster buffer limits ` to 32 KiB. HTTP proxies should additionally configure: -:ref:`use_remote_address ` to true, +:ref:`use_remote_address ` to true +(to avoid consuming HTTP headers from external clients, see :ref:`HTTP header sanitizing ` for details), and HTTP/2 settings (e.g. :ref:`HTTP/2 maximum concurrent streams limit ` to 100, :ref:`HTTP/2 initial stream window size limit ` to 64 KiB, From 2aa0f9b54c6e7e70b87fd75bf807c0c3ab1915d4 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 01:19:09 +0000 Subject: [PATCH 08/20] review: add FAQ. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 09876e0f351c..1ef3ac6476f2 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -1,7 +1,7 @@ .. _best_practices_edge: -Configuring Envoy for the edge -============================== +Configuring Envoy as an edge proxy +================================== Envoy is a production-ready edge proxy, and performs well in that role, however, the default settings are tailored for the service mesh use case, and some values From 93e8c68ecd1cdb56658e816af77ddf6136c9cb7f Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 01:25:26 +0000 Subject: [PATCH 09/20] review: drop useless praise. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 1ef3ac6476f2..c6af7c365da8 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -3,9 +3,9 @@ Configuring Envoy as an edge proxy ================================== -Envoy is a production-ready edge proxy, and performs well in that role, however, -the default settings are tailored for the service mesh use case, and some values -need to be adjusted when using Envoy as an edge proxy. +Envoy is a production-ready edge proxy, however, the default settings are tailored +for the service mesh use case, and some values need to be adjusted when using Envoy +as an edge proxy. TCP proxies should configure: :ref:`overload_manager `, :ref:`listener buffer limits ` to 32 KiB From 4dfac86d5112fc1e8119e5864ac0ec005f8994c5 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 01:25:49 +0000 Subject: [PATCH 10/20] review: use bullet points. Signed-off-by: Piotr Sikora --- .../root/configuration/best_practices/edge.rst | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index c6af7c365da8..a9a8535acdb8 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -7,17 +7,19 @@ Envoy is a production-ready edge proxy, however, the default settings are tailor for the service mesh use case, and some values need to be adjusted when using Envoy as an edge proxy. -TCP proxies should configure: :ref:`overload_manager `, -:ref:`listener buffer limits ` to 32 KiB -and :ref:`cluster buffer limits ` to 32 KiB. +TCP proxies should configure: + +* :ref:`overload_manager `, +* :ref:`listener buffer limits ` to 32 KiB, +* :ref:`cluster buffer limits ` to 32 KiB. HTTP proxies should additionally configure: -:ref:`use_remote_address ` to true + +* :ref:`use_remote_address ` to true (to avoid consuming HTTP headers from external clients, see :ref:`HTTP header sanitizing ` for details), -and HTTP/2 settings (e.g. -:ref:`HTTP/2 maximum concurrent streams limit ` to 100, -:ref:`HTTP/2 initial stream window size limit ` to 64 KiB, -and :ref:`HTTP/2 initial connection window size limit ` to 1 MiB). +* :ref:`HTTP/2 maximum concurrent streams limit ` to 100, +* :ref:`HTTP/2 initial stream window size limit ` to 64 KiB, +* :ref:`HTTP/2 initial connection window size limit ` to 1 MiB. The following is a YAML example of the above recommendation. From a2bfc74350f52d708a9882ac9a866df5c994892c Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 01:39:28 +0000 Subject: [PATCH 11/20] review: fix format. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index a9a8535acdb8..da82de52ba31 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -15,8 +15,9 @@ TCP proxies should configure: HTTP proxies should additionally configure: -* :ref:`use_remote_address ` to true -(to avoid consuming HTTP headers from external clients, see :ref:`HTTP header sanitizing ` for details), +* :ref:`use_remote_address ` + to true (to avoid consuming HTTP headers from external clients, see :ref:`HTTP header sanitizing ` + for details), * :ref:`HTTP/2 maximum concurrent streams limit ` to 100, * :ref:`HTTP/2 initial stream window size limit ` to 64 KiB, * :ref:`HTTP/2 initial connection window size limit ` to 1 MiB. From a77b4c269f7b0270c3386909f84239b6a2d478a2 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 01:44:30 +0000 Subject: [PATCH 12/20] review: add timeouts. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index da82de52ba31..187126cfd663 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -18,6 +18,7 @@ HTTP proxies should additionally configure: * :ref:`use_remote_address ` to true (to avoid consuming HTTP headers from external clients, see :ref:`HTTP header sanitizing ` for details), +* :ref:`connection and stream timeouts `, * :ref:`HTTP/2 maximum concurrent streams limit ` to 100, * :ref:`HTTP/2 initial stream window size limit ` to 64 KiB, * :ref:`HTTP/2 initial connection window size limit ` to 1 MiB. @@ -68,11 +69,13 @@ The following is a YAML example of the above recommendation. stat_prefix: ingress_http use_remote_address: true common_http_protocol_options: - idle_timeout: 840s + idle_timeout: 3600s # 1 hour http2_protocol_options: max_concurrent_streams: 100 initial_stream_window_size: 65536 # 64 KiB initial_connection_window_size: 1048576 # 1 MiB + stream_idle_timeout: 300s # 5 mins + request_timeout: 300s # 5 mins route_config: virtual_hosts: - name: default From f6c12653cd770ce265e679c34dabae71f20f2479 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 01:54:49 +0000 Subject: [PATCH 13/20] review: configure admin endpoint. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 187126cfd663..4043f90f5606 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -9,6 +9,7 @@ as an edge proxy. TCP proxies should configure: +* restrict access to the admin endpoint, * :ref:`overload_manager `, * :ref:`listener buffer limits ` to 32 KiB, * :ref:`cluster buffer limits ` to 32 KiB. @@ -46,6 +47,13 @@ The following is a YAML example of the above recommendation. threshold: value: 0.98 + admin: + access_log_path: "/var/log/envoy_admin.log" + address: + socket_address: + address: 127.0.0.1 + port_value: 9090 + static_resources: listeners: - address: From 8c5e80f2c7dc81e01576c46118e5bbf81165160c Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 01:55:00 +0000 Subject: [PATCH 14/20] review: actually expose edge proxy to the Internet. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 4043f90f5606..4a689689278e 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -57,7 +57,9 @@ The following is a YAML example of the above recommendation. static_resources: listeners: - address: - socket_address: { address: 127.0.0.1, port_value: 443 } + socket_address: + address: 0.0.0.0 + port_value: 443 listener_filters: - name: "envoy.listener.tls_inspector" typed_config: {} From 8e87f2f8ed47bb9078ae3140783ab94128f4abb5 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 01:57:41 +0000 Subject: [PATCH 15/20] review: git add docs/root/faq/configuration/edge.rst. Signed-off-by: Piotr Sikora --- docs/root/faq/configuration/edge.rst | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 docs/root/faq/configuration/edge.rst diff --git a/docs/root/faq/configuration/edge.rst b/docs/root/faq/configuration/edge.rst new file mode 100644 index 000000000000..1da9715ac210 --- /dev/null +++ b/docs/root/faq/configuration/edge.rst @@ -0,0 +1,7 @@ +.. _faq_edge: + +How do I configure Envoy as an edge proxy? +========================================== + +Refer to the :ref:`configuring Envoy as an edge proxy ` +for an example of the edge proxy configuration. From f95179c0f8a30b773e9ba26ac6ff0405667eb0d1 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 30 Oct 2019 02:49:46 +0000 Subject: [PATCH 16/20] review: add FAQ to the overview. Signed-off-by: Piotr Sikora --- docs/root/faq/overview.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/root/faq/overview.rst b/docs/root/faq/overview.rst index 31aee1721fcb..b30be9823d97 100644 --- a/docs/root/faq/overview.rst +++ b/docs/root/faq/overview.rst @@ -26,6 +26,7 @@ Configuration .. toctree:: :maxdepth: 2 + configuration/edge configuration/sni configuration/zone_aware_routing configuration/zipkin_tracing From 4494914dd8f03b97b19f7b667315b7ef76053c2d Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Thu, 31 Oct 2019 00:53:06 +0000 Subject: [PATCH 17/20] review: drop "the". Signed-off-by: Piotr Sikora --- docs/root/faq/configuration/edge.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/root/faq/configuration/edge.rst b/docs/root/faq/configuration/edge.rst index 1da9715ac210..0e273e61230c 100644 --- a/docs/root/faq/configuration/edge.rst +++ b/docs/root/faq/configuration/edge.rst @@ -3,5 +3,5 @@ How do I configure Envoy as an edge proxy? ========================================== -Refer to the :ref:`configuring Envoy as an edge proxy ` +Refer to :ref:`configuring Envoy as an edge proxy ` for an example of the edge proxy configuration. From f37551292246713c5b25157a94a7fb3fab8b1394 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Thu, 31 Oct 2019 01:00:01 +0000 Subject: [PATCH 18/20] review: more timeouts. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 4a689689278e..7c11f5559f7d 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -84,15 +84,17 @@ The following is a YAML example of the above recommendation. max_concurrent_streams: 100 initial_stream_window_size: 65536 # 64 KiB initial_connection_window_size: 1048576 # 1 MiB - stream_idle_timeout: 300s # 5 mins - request_timeout: 300s # 5 mins + stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests + request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests route_config: virtual_hosts: - name: default domains: "*" routes: - match: { prefix: "/" } - route: { cluster: service_foo } + route: + cluster: service_foo + idle_timeout: 15s # must be disabled for long-lived and streaming requests clusters: name: service_foo connect_timeout: 15s From c1e65edfb33537e47436be220771ee0e1f8d10f7 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Thu, 31 Oct 2019 01:00:34 +0000 Subject: [PATCH 19/20] reivew: remove max_concurrent_streams from upstream config. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index 7c11f5559f7d..c394a902e8ee 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -104,6 +104,5 @@ The following is a YAML example of the above recommendation. address: 127.0.0.1 port_value: 8080 http2_protocol_options: - max_concurrent_streams: 100 initial_stream_window_size: 65536 # 64 KiB initial_connection_window_size: 1048576 # 1 MiB From 20bd32d35c7ea32b1737fad9fd085ad85fdde0bf Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Thu, 31 Oct 2019 19:16:57 +0000 Subject: [PATCH 20/20] review: add note about the PROXY protocol. Signed-off-by: Piotr Sikora --- docs/root/configuration/best_practices/edge.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index c394a902e8ee..94e1728eb172 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -78,6 +78,8 @@ The following is a YAML example of the above recommendation. "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager stat_prefix: ingress_http use_remote_address: true + # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol. + # use_proxy_proto: true common_http_protocol_options: idle_timeout: 3600s # 1 hour http2_protocol_options: