Ensure Envoy recommended edge proxy settings are set by default

[arkodg]

Description: Ensure we are setting Envoy Edge Proxy settings by default to the values specified in https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy

TCP proxies

• [x] restrict access to the admin endpoint, https://github.com/envoyproxy/gateway/pull/206
• [x] overload_manager,
• [x] listener buffer limits to 32 KiB, https://github.com/envoyproxy/gateway/pull/1306
• [x] cluster buffer limits to 32 KiB. https://github.com/envoyproxy/gateway/pull/1325

HTTP proxies:

• [x] use_remote_address to true (to avoid consuming HTTP headers from external clients, see HTTP header sanitizing for details) https://github.com/envoyproxy/gateway/pull/1029,
• [ ] connection and stream timeouts,
• [x] HTTP/2 maximum concurrent streams limit and HTTP/3 maximum concurrent streams limit to 100 https://github.com/envoyproxy/gateway/pull/1408
• [x] HTTP/2 initial stream window size limit to 64 KiB, https://github.com/envoyproxy/gateway/pull/1408
• [x] HTTP/2 initial connection window size limit to 1 MiB. https://github.com/envoyproxy/gateway/pull/1408
• [x] headers_with_underscores_action setting to REJECTREQUEST, to protect upstream services that treat ‘’ and ‘-’ as interchangeable. https://github.com/envoyproxy/gateway/pull/1408
• [ ] Listener connection limits.
• [x] #1966

If Envoy is configured with RBAC filter or makes route selection based on URL path it is recommended to enable the following path normalization options to minimize probability of path confusion vulnerabilities. Path confusion vulnerabilities occur when parties participating in request use different path representations.

• [x] Enable normalize_path setting. https://github.com/envoyproxy/gateway/pull/1341
• [x] Enable merge_slashes setting. https://github.com/envoyproxy/gateway/pull/1341
• [x] Additionally the path_with_escaped_slashes_action setting should be set https://github.com/envoyproxy/gateway/pull/1341

[Xunzhuo]

I will work on it.

[tanujd11]

Hey @Xunzhuo, I would also like to help out with this issue if it's fine with you. I can take up a few of the tasks.

[Xunzhuo]

@tanujd11 can you tell which subtasks you want to assign?

[tanujd11]

@Xunzhuo I could start from bottom with if it works for you

• Enable normalize_path setting.
• [x] Enable merge_slashes setting.
• [x] Additionally the path_with_escaped_slashes_action setting should be set

[Xunzhuo]

Sure @tanujd11

[tanujd11]

Hey @Xunzhuo , I shall start working on the HTTP proxy tasks. Have you picked any so we don't duplicate the work?

[Xunzhuo]

Feel free please @tanujd11

[tanujd11]

@arkodg, EG don't support Http3 yet. So I am skipping the h3 connection settings. We can set it once https://github.com/envoyproxy/gateway/issues/422 is done.

[arkodg]

hey @tanujd11 checking in to see if you plan on working on the remaining sub tasks before v0.5.0 releases (end July 2023), else will move this issue into the backlog, thanks in advance !

[tanujd11]

Hey @arkodg, I will take a look at it on the weekend.

[arkodg]

awesome thanks !

[arkodg]

hey @tanujd11 still planning on working on this in the next few weeks ? if not, will move this into the the next v0.6.0 release milestone, thanks

[tanujd11]

Hey @arkodg , Ya I was not able to find time. Could you please move it over to next release. Thanks

[arkodg]

thanks for the update @tanujd11 , moving this to v0.6.0-rc1

[shahar-h]

@arkodg overload_manager can be checked as it is completed with #3082.