diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-03 15:53:00 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-03 15:53:00 -0600 |
| commit | c783af99f9f3da740f553e7c9cbc768fd2a89724 (patch) | |
| tree | 944f6f2d887646d6668535b1dc723bf297798816 /etc/envoy/envoy.yaml | |
| parent | 8f2d083fb29b5dbd5bbe185119efd4246a818f65 (diff) | |
chore: include envoy in docker image
Diffstat (limited to 'etc/envoy/envoy.yaml')
| -rw-r--r-- | etc/envoy/envoy.yaml | 97 |
1 files changed, 74 insertions, 23 deletions
diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml index e050a49e..31b29c80 100644 --- a/etc/envoy/envoy.yaml +++ b/etc/envoy/envoy.yaml @@ -6,21 +6,23 @@ admin: application_log_config: log_format: json_format: - Timestamp: "%Y-%m-%dT%T.%F" - ThreadId: "%t" - SourceLine: "%s:%#" - Level: "%l" - Message: "%j" + timestamp: "%Y-%m-%dT%T.%FZ" + thread_id: "%t" + level: "%l" + logger: "%n" + message: "%j" overload_manager: resource_monitors: - name: "envoy.resource_monitors.global_downstream_max_connections" typed_config: "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig - max_active_downstream_connections: 1024 + max_active_downstream_connections: 10240 static_resources: clusters: - name: authzd connect_timeout: 5s + type: STATIC + lb_policy: ROUND_ROBIN load_assignment: cluster_name: authzd endpoints: @@ -35,8 +37,21 @@ static_resources: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: {} + health_checks: + - timeout: 3s + interval: 5s + unhealthy_threshold: 2 + healthy_threshold: 2 + grpc_health_check: {} + circuit_breakers: + thresholds: + - priority: DEFAULT + max_connections: 1024 + max_pending_requests: 1024 + max_requests: 1024 + max_retries: 3 listeners: - - name: listener_0 + - name: main_listener address: socket_address: protocol: TCP @@ -49,25 +64,30 @@ static_resources: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager access_log: - name: envoy.access_loggers.stdout + filter: + not_health_check_filter: {} typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog log_format: json_format: - app: "envoy" - authority: "%REQ(:AUTHORITY)%" - bytes_received: "%BYTES_RECEIVED%" - bytes_sent: "%BYTES_SENT%" - client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" - duration: "%DURATION%" - forwarded_for: "%REQ(X-FORWARDED-FOR)%" + timestamp: "%START_TIME(%FT%T.%3fZ)%" method: "%REQ(:METHOD)%" path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" protocol: "%PROTOCOL%" - request_id: "%REQ(X-REQUEST-ID)%" response_code: "%RESPONSE_CODE%" - timestamp: "%START_TIME%" + response_flags: "%RESPONSE_FLAGS%" + bytes_received: "%BYTES_RECEIVED%" + bytes_sent: "%BYTES_SENT%" + duration_ms: "%DURATION%" + upstream_service_time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%" + x_forwarded_for: "%REQ(X-FORWARDED-FOR)%" user_agent: "%REQ(USER-AGENT)%" + request_id: "%REQ(X-REQUEST-ID)%" + authority: "%REQ(:AUTHORITY)%" + upstream_host: "%UPSTREAM_HOST%" codec_type: AUTO + request_timeout: 30s + stream_idle_timeout: 300s http_filters: - name: envoy.filters.http.health_check typed_config: @@ -80,30 +100,61 @@ static_resources: - name: envoy.filters.http.ext_authz typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + transport_api_version: V3 grpc_service: envoy_grpc: cluster_name: authzd - timeout: 30s + timeout: 5s failure_mode_allow: false + include_peer_certificate: true + clear_route_cache: true + status_on_error: + code: 503 - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router suppress_envoy_headers: true route_config: + name: local_route request_headers_to_remove: - authorization - cookie - - user-agent + response_headers_to_add: + - header: + key: "x-content-type-options" + value: "nosniff" + - header: + key: "x-frame-options" + value: "DENY" + - header: + key: "x-xss-protection" + value: "1; mode=block" virtual_hosts: - - name: local + - name: backend domains: ["*"] routes: - match: prefix: "/" route: cluster: authzd - timeout: 5s - retry_policy: - retry_on: "5xx" - num_retries: 3 + timeout: 30s + retry_policy: + retry_on: "5xx,reset,connect-failure,retriable-status-codes" + num_retries: 3 + per_try_timeout: 10s + retriable_status_codes: [503] + request_headers_to_add: + - header: + key: "x-real-ip" + value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" + - header: + key: "x-forwarded-proto" + value: "%REQ(X-FORWARDED-PROTO)%" stat_prefix: ingress_http + common_http_protocol_options: + idle_timeout: 300s + headers_with_underscores_action: REJECT_REQUEST + http2_protocol_options: + max_concurrent_streams: 100 + initial_stream_window_size: 65536 + server_header_transformation: PASS_THROUGH |