Ensure Envoy recommended edge proxy settings are set by default

[arkodg]

Description:
Ensure we are setting Envoy Edge Proxy settings by default to the values specified in https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy

TCP proxies

• restrict access to the admin endpoint, Adds Envoy Bootstrap Config #206
• overload_manager,
• listener buffer limits to 32 KiB, feat: set tcp proxy listener buffer #1306
• cluster buffer limits to 32 KiB. feat: set tcp proxy cluster buffer #1325

HTTP proxies:

• use_remote_address to true (to avoid consuming HTTP headers from external clients, see HTTP header sanitizing for details) ensure use_remote_address is set #1029,
• connection and stream timeouts,
• HTTP/2 maximum concurrent streams limit and HTTP/3 maximum concurrent streams limit to 100 Added http best practices to hcm #1408
• HTTP/2 initial stream window size limit to 64 KiB, Added http best practices to hcm #1408
• HTTP/2 initial connection window size limit to 1 MiB. Added http best practices to hcm #1408
• headers_with_underscores_action setting to REJECT_REQUEST, to protect upstream services that treat ‘_’ and ‘-’ as interchangeable. Added http best practices to hcm #1408
• Listener connection limits.
• Global downstream connection limits. #1966

If Envoy is configured with RBAC filter or makes route selection based on URL path it is recommended to enable the following path normalization options to minimize probability of path confusion vulnerabilities. Path confusion vulnerabilities occur when parties participating in request use different path representations.

• Enable normalize_path setting. feat: set path normalization settings #1341
• Enable merge_slashes setting. feat: set path normalization settings #1341
• Additionally the path_with_escaped_slashes_action setting should be set feat: set path normalization settings #1341

[Xunzhuo]

I will work on it.

[tanujd11]

Hey @Xunzhuo, I would also like to help out with this issue if it's fine with you. I can take up a few of the tasks.

[Xunzhuo]

@tanujd11 can you tell which subtasks you want to assign?

[tanujd11]

@Xunzhuo I could start from bottom with if it works for you

• Enable normalize_path setting.
• Enable merge_slashes setting.
• Additionally the path_with_escaped_slashes_action setting should be set

[Xunzhuo]

Sure @tanujd11

[tanujd11]

Hey @Xunzhuo , I shall start working on the HTTP proxy tasks. Have you picked any so we don't duplicate the work?

[Xunzhuo]

Feel free please @tanujd11

[tanujd11]

@arkodg, EG don't support Http3 yet. So I am skipping the h3 connection settings. We can set it once #422 is done.

[arkodg]

hey @tanujd11 checking in to see if you plan on working on the remaining sub tasks before v0.5.0 releases (end July 2023), else will move this issue into the backlog, thanks in advance !

[tanujd11]

Hey @arkodg, I will take a look at it on the weekend.

[arkodg]

awesome thanks !

[arkodg]

hey @tanujd11 still planning on working on this in the next few weeks ?
if not, will move this into the the next v0.6.0 release milestone, thanks

[tanujd11]

Hey @arkodg , Ya I was not able to find time. Could you please move it over to next release. Thanks

[arkodg]

thanks for the update @tanujd11 , moving this to v0.6.0-rc1

[shahar-h]

@arkodg overload_manager can be checked as it is completed with #3082.