400 error - Request header is too large when using a Service Entry to route to an external service

Networking
1

If we use a Service Entry to route to an external host we get a 400 http error when we have a large http header request. However, bypassing the Service Entry i.e. if we curl directly to the host using the same http request, the external page is displayed correctly. We have tried applying an envoyfilter using the max_request_headers_kb set to 96 but has made no differences. Is there anyway to increase the http-request/buffer for traffic using a ServiceEntry?

tomcat log showing the error when we route through a ServiceEntry:

org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
	java.lang.IllegalArgumentException: Request header is too large

EnvoyFilter applied:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: max-request-headers
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
    match:
      context: ANY
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          max_request_headers_kb: 96

istio version: 1.6.12
envoy version: ef96e9c2f0b0d2a31e3a9426c4b339db0b33885f/1.14.5-dev/Clean/RELEASE/BoringSSL

Thanks.

2

We were able to fix this by removing the cookie from the header in the virtualservice (see below) so the overall request header size was below the limit for the external service, which in our case was an AWS s3 bucket. We tested also with a Tomcat and Nginx service as the external service. Tomcat failed (400 http error) as by default has a small max header request size - resolved by removing the cookie in the VS. We didn’t have the issue with Nginx as the default header request size was sufficient for our requests.

virtualservice:

destination...
    headers:
       response:
          remove:
          - cookie
1 Like