Istio Ingress : Increase Header size

Divyesh_Bhatt · November 18, 2020, 3:22pm

Hello,

Istio Version : 1.7

I am trying to update max_request_headers_kb to 80 using below envoy filter:
Even after applying one of below EnvoyFilter I am getting “431Request Header Fields Too Large” on header size beyond 30 kb.

I know the document from envoy says default limit is 60 kb but in code its hardcoded to 29 and max limit to 94.

github.com

envoyproxy/envoy/blob/c39a22e1ee744f4e6031c0b53f7ccd2b6165e29f/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L304


// By default, Envoy will overwrite the header with the value specified in
// server_name.
ServerHeaderTransformation server_header_transformation = 34
    [(validate.rules).enum = {defined_only: true}];
// The maximum request headers size for incoming connections.
// If unconfigured, the default max request headers allowed is 60 KiB.
// Requests that exceed this limit will receive a 431 response.
// The max configurable limit is 96 KiB, based on current implementation
// constraints.
google.protobuf.UInt32Value max_request_headers_kb = 29
    [(validate.rules).uint32 = {lte: 96 gt: 0}];
// The idle timeout for connections managed by the connection manager. The
// idle timeout is defined as the period in which there are no active
// requests. If not set, there is no idle timeout. When the idle timeout is
// reached the connection will be closed. If the connection is an HTTP/2
// connection a drain sequence will occur prior to closing the connection.
// This field is deprecated. Use :ref:`idle_timeout
// <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.common_http_protocol_options>`
// instead.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: custom
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:

applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
match:
context: GATEWAY
listener:
filterChain:
filter:
name: “envoy.http_connection_manager”
patch:
operation: MERGE
value:
max_request_headers_kb: 80

OR

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: custom
namespace: istio-system
spec:
configPatches:

applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: “envoy.http_connection_manager”
patch:
operation: MERGE
value:
typed_config:
“@type”: “type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager”
max_request_headers_kb: 200

None worked.

Can someone suggest what am I doing wrong?

rvennam · December 4, 2020, 4:37pm

For 1.7, some of the fields have to be updated for envoy v3:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: max-request-headers
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
    match:
      context: ANY
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          max_request_headers_kb: 90

Divyesh_Bhatt · December 18, 2020, 5:48pm

Hello Ram,

No luck with above filter definition as well. Is this configuration is working for you?
Thanks,

Divyesh Bhatt

Gerald_JACOBSON · January 19, 2021, 5:44pm

hello,
did you find a solution ? i have the same issue and i cannot find a configuration that work on my ISTIO 1.7

PS: i have a lua filter configured as HTTP_FILTER and patch INSERT_BEFORE → don’t know if the max_request_headers_kb (work) but is not set before reaching the filter or something like that, or if the config does not work at all

Thank you

Divyesh_Bhatt · January 21, 2021, 5:44pm

No Luck… Have parked this for a while. Please let me know if you find any solution.

sergiomacedo · April 29, 2021, 10:45pm

I’m looking for a solution for this problem too…