Configuring Envoy as an edge proxy

TCP proxies should configure:

• restrict access to the admin endpoint,

• overload_manager,

• to 32 KiB,

• cluster buffer limits to 32 KiB.

HTTP proxies should additionally configure:

• to true (to avoid consuming HTTP headers from external clients, see HTTP header sanitizing for details),

• and HTTP/3 maximum concurrent streams limit to 100

• to 64 KiB,

• HTTP/2 initial connection window size limit to 1 MiB.

• to REJECT_REQUEST, to protect upstream services that treat ‘_’ and ‘-‘ as interchangeable.

• Listener connection limits.

If Envoy is configured with RBAC filter or makes route selection based on URL path it is recommended to enable the following path normalization options to minimize probability of path confusion vulnerabilities. Path confusion vulnerabilities occur when parties participating in request use different path representations.

• Enable .

Additionally the path_with_escaped_slashes_action setting should be set according to following recommendations:

• REJECT_REQUEST if dowstream clients are expected to use rfc3986 compliant normalized paths (i.e. gRPC clients).

• UNESCAPE_AND_REDIRECT if downstream client supports HTTP redirect (i.e. a browser). This option minimizes possibility of path confusion by forcing request to be re-issued with the same path across all parties: downstream client, Envoy and upstream server. Note that gRPC requests will still be rejected with the INTERNAL (13) error code, as gRPC clients do not support redirect.

• KEEP_UNCHANGED for servers that are not rfc3986 compliant and require encoded slashes.

The following is a YAML example of the above recommendation (taken from the edge server configuration):