feat: Add comprehensive downstream validation for Envoy

YashNandwana · YashNandwana · commit c43da053d7cb · 2025-07-13T23:04:13.000+05:30
Signed-off-by: Yash Nandwana yashneelam975@gmail.com

adding downstream validation for envoy (streamErrorOnInvalidHttpMessage)

added to OnChange() for getting loaded during DAG build
diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go
@@ -430,6 +430,15 @@ type EnvoyListenerConfig struct {
 	// +kubebuilder:validation:Minimum=1
 	// +optional
 	MaxConnectionsPerListener *uint32 `json:"maxConnectionsPerListener,omitempty"`
+
+	// StreamErrorOnInvalidHTTP
+	// If this option is false (default), Envoy will err on the conservative side handling HTTP errors, terminating both
+	// HTTP/1.1 and HTTP/2 connections when receiving an invalid request. If this option is set to true,
+	// Envoy will be more permissive, only resetting the invalid stream in the case of HTTP/2 and leaving the
+	// connection open where possible (if the entire request is read for HTTP/1.1)
+	//
+	// +optional
+	StreamErrorOnInvalidHTTP *bool `json:"streamErrorOnInvalidHTTP,omitempty"`
 }
 
 // SocketOptions defines configurable socket options for Envoy listeners.
diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go
@@ -466,6 +466,7 @@ func (s *Server) doServe() error {
 		HTTP2MaxConcurrentStreams:     contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,
 		PerConnectionBufferLimitBytes: contourConfiguration.Envoy.Listener.PerConnectionBufferLimitBytes,
 		SocketOptions:                 contourConfiguration.Envoy.Listener.SocketOptions,
+		StreamErrorOnInvalidHTTP:      contourConfiguration.Envoy.Listener.StreamErrorOnInvalidHTTP,
 	}
 
 	if listenerConfig.TracingConfig, err = s.setupTracingService(contourConfiguration.Tracing); err != nil {
diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go
@@ -557,6 +557,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co
 				MaxRequestsPerIOCycle:         ctx.Config.Listener.MaxRequestsPerIOCycle,
 				HTTP2MaxConcurrentStreams:     ctx.Config.Listener.HTTP2MaxConcurrentStreams,
 				MaxConnectionsPerListener:     ctx.Config.Listener.MaxConnectionsPerListener,
+				StreamErrorOnInvalidHTTP:      ctx.Config.Listener.StreamErrorOnInvalidHTTP,
 				TLS: &contour_v1alpha1.EnvoyTLS{
 					MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
 					MaximumProtocolVersion: ctx.Config.TLS.MaximumProtocolVersion,
diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml
@@ -339,6 +339,12 @@ spec:
                         format: int32
                         minimum: 1
                         type: integer
+                      streamErrorOnInvalidHTTP:
+                        description: |-
+                          Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                          for more information.
+                        type: boolean
                       maxRequestsPerConnection:
                         description: |-
                           Defines the maximum requests for downstream connections. If not specified, there is no limit.
@@ -4202,6 +4208,12 @@ spec:
                             format: int32
                             minimum: 1
                             type: integer
+                          streamErrorOnInvalidHTTP:
+                            description: |-
+                              Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                              for more information.
+                            type: boolean
                           maxRequestsPerConnection:
                             description: |-
                               Defines the maximum requests for downstream connections. If not specified, there is no limit.
diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml
@@ -558,6 +558,12 @@ spec:
                         format: int32
                         minimum: 1
                         type: integer
+                      streamErrorOnInvalidHTTP:
+                        description: |-
+                          Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                          for more information.
+                        type: boolean
                       maxRequestsPerConnection:
                         description: |-
                           Defines the maximum requests for downstream connections. If not specified, there is no limit.
@@ -4421,6 +4427,12 @@ spec:
                             format: int32
                             minimum: 1
                             type: integer
+                          streamErrorOnInvalidHTTP:
+                            description: |-
+                              Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                              for more information.
+                            type: boolean
                           maxRequestsPerConnection:
                             description: |-
                               Defines the maximum requests for downstream connections. If not specified, there is no limit.
diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml
@@ -350,6 +350,12 @@ spec:
                         format: int32
                         minimum: 1
                         type: integer
+                      streamErrorOnInvalidHTTP:
+                        description: |-
+                          Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                          for more information.
+                        type: boolean
                       maxRequestsPerConnection:
                         description: |-
                           Defines the maximum requests for downstream connections. If not specified, there is no limit.
@@ -4213,6 +4219,12 @@ spec:
                             format: int32
                             minimum: 1
                             type: integer
+                          streamErrorOnInvalidHTTP:
+                            description: |-
+                              Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                              for more information.
+                            type: boolean
                           maxRequestsPerConnection:
                             description: |-
                               Defines the maximum requests for downstream connections. If not specified, there is no limit.
diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml
@@ -375,6 +375,12 @@ spec:
                         format: int32
                         minimum: 1
                         type: integer
+                      streamErrorOnInvalidHTTP:
+                        description: |-
+                          Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                          for more information.
+                        type: boolean
                       maxRequestsPerConnection:
                         description: |-
                           Defines the maximum requests for downstream connections. If not specified, there is no limit.
@@ -4238,6 +4244,12 @@ spec:
                             format: int32
                             minimum: 1
                             type: integer
+                          streamErrorOnInvalidHTTP:
+                            description: |-
+                              Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                              for more information.
+                            type: boolean
                           maxRequestsPerConnection:
                             description: |-
                               Defines the maximum requests for downstream connections. If not specified, there is no limit.
diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml
@@ -558,6 +558,12 @@ spec:
                         format: int32
                         minimum: 1
                         type: integer
+                      streamErrorOnInvalidHTTP:
+                        description: |-
+                          Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                          for more information.
+                        type: boolean
                       maxRequestsPerConnection:
                         description: |-
                           Defines the maximum requests for downstream connections. If not specified, there is no limit.
@@ -4421,6 +4427,12 @@ spec:
                             format: int32
                             minimum: 1
                             type: integer
+                          streamErrorOnInvalidHTTP:
+                            description: |-
+                              Defines envoy's behaviour for invalid HTTP response from downstream. Default value is false.
+                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-error-on-invalid-http-message
+                              for more information.
+                            type: boolean
                           maxRequestsPerConnection:
                             description: |-
                               Defines the maximum requests for downstream connections. If not specified, there is no limit.
diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go
@@ -16,7 +16,6 @@ package v3
 import (
 	"errors"
 	"fmt"
-	v1 "github.com/projectcontour/contour/apis/projectcontour/v1"
 	"sort"
 	"strings"
 	"time"
@@ -195,7 +194,7 @@ type httpConnectionManagerBuilder struct {
 	http2MaxConcurrentStreams     *uint32
 	enableWebsockets              bool
 	compression                   *contour_v1alpha1.EnvoyCompression
-	streamErrorForInvalidHttp     bool
+	streamErrorOnInvalidHttp      bool
 }
 
 func (b *httpConnectionManagerBuilder) EnableWebsockets(enable bool) *httpConnectionManagerBuilder {
@@ -329,6 +328,11 @@ func (b *httpConnectionManagerBuilder) HTTP2MaxConcurrentStreams(http2MaxConcurr
 	return b
 }
 
+func (b *httpConnectionManagerBuilder) StreamErrorOnInvalidHTTP(streamErrorOnInvalidHttp bool) *httpConnectionManagerBuilder {
+	b.streamErrorOnInvalidHttp = streamErrorOnInvalidHttp
+	return b
+}
+
 func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBuilder {
 	// Add a default set of ordered http filters.
 	// The names are not required to match anything and are
@@ -543,9 +547,11 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_config_listener_v3.Filter {
 		Tracing:     b.tracingConfig,
 		HttpFilters: b.filters,
 		CommonHttpProtocolOptions: &envoy_config_core_v3.HttpProtocolOptions{
-			IdleTimeout:          envoy.Timeout(b.connectionIdleTimeout),
-			DownstreamValidation: wrapperspb.Bool(b.streamErrorForInvalidHttp),
+			IdleTimeout: envoy.Timeout(b.connectionIdleTimeout),
 		},
+
+		StreamErrorOnInvalidHttpMessage: wrapperspb.Bool(b.streamErrorOnInvalidHttp),
+
 		HttpProtocolOptions: &envoy_config_core_v3.Http1ProtocolOptions{
 			// Enable support for HTTP/1.0 requests that carry
 			// a Host: header. See #537.
diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go
@@ -156,6 +156,13 @@ type ListenerConfig struct {
 
 	// SocketOptions configures socket options HTTP and HTTPS listeners.
 	SocketOptions *contour_v1alpha1.SocketOptions
+
+	// StreamErrorOnInvalidHTTP
+	// If this option is false (default), Envoy will err on the conservative side handling HTTP errors, terminating both
+	// HTTP/1.1 and HTTP/2 connections when receiving an invalid request. If this option is set to true,
+	// Envoy will be more permissive, only resetting the invalid stream in the case of HTTP/2 and leaving the
+	// connection open where possible (if the entire request is read for HTTP/1.1)
+	StreamErrorOnInvalidHTTP bool
 }
 
 type ExtensionServiceConfig struct {
@@ -395,6 +402,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 				StripTrailingHostDot(cfg.StripTrailingHostDot).
 				MaxRequestsPerConnection(cfg.MaxRequestsPerConnection).
 				HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams).
+				StreamErrorOnInvalidHTTP(cfg.StreamErrorOnInvalidHTTP).
 				AddFilter(httpGlobalExternalAuthConfig(cfg.GlobalExternalAuthConfig)).
 				Tracing(envoy_v3.TracingConfig(envoyTracingConfig(cfg.TracingConfig))).
 				AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
@@ -475,6 +483,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 					ForwardClientCertificate(forwardClientCertificate).
 					MaxRequestsPerConnection(cfg.MaxRequestsPerConnection).
 					HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams).
+					StreamErrorOnInvalidHTTP(cfg.StreamErrorOnInvalidHTTP).
 					EnableWebsockets(listener.EnableWebsockets).
 					Get()
 
@@ -558,6 +567,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 					ForwardClientCertificate(forwardClientCertificate).
 					MaxRequestsPerConnection(cfg.MaxRequestsPerConnection).
 					HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams).
+					StreamErrorOnInvalidHTTP(cfg.StreamErrorOnInvalidHTTP).
 					EnableWebsockets(listener.EnableWebsockets).
 					Get()
 
diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go
@@ -514,6 +514,15 @@ type ListenerParameters struct {
 	//
 	// +optional
 	MaxConnectionsPerListener *uint32 `yaml:"max-connections-per-listener,omitempty"`
+
+	// StreamErrorOnInvalidHTTP
+	// If this option is false (default), Envoy will err on the conservative side handling HTTP errors, terminating both
+	// HTTP/1.1 and HTTP/2 connections when receiving an invalid request. If this option is set to true,
+	// Envoy will be more permissive, only resetting the invalid stream in the case of HTTP/2 and leaving the
+	// connection open where possible (if the entire request is read for HTTP/1.1)
+	//
+	// +optional
+	StreamErrorOnInvalidHTTP bool `yaml:"streamErrorOnInvalidHTTP,omitempty"`
 }
 
 func (p *ListenerParameters) Validate() error {
@@ -1103,7 +1112,8 @@ func Defaults() Parameters {
 			EnvoyAdminPort:            9001,
 		},
 		Listener: ListenerParameters{
-			ConnectionBalancer: "",
+			ConnectionBalancer:       "",
+			StreamErrorOnInvalidHTTP: false,
 		},
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -466,6 +466,7 @@ func (s *Server) doServe() error {`
`466`	`466`	`HTTP2MaxConcurrentStreams: contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,`
`467`	`467`	`PerConnectionBufferLimitBytes: contourConfiguration.Envoy.Listener.PerConnectionBufferLimitBytes,`
`468`	`468`	`SocketOptions: contourConfiguration.Envoy.Listener.SocketOptions,`
	`469`	`+ StreamErrorOnInvalidHTTP: contourConfiguration.Envoy.Listener.StreamErrorOnInvalidHTTP,`
`469`	`470`	`}`
`470`	`471`
`471`	`472`	`if listenerConfig.TracingConfig, err = s.setupTracingService(contourConfiguration.Tracing); err != nil {`