将 Envoy 配置为边缘代理¶
Envoy 是一个生产就绪的边缘代理,然而,默认配置是为服务网格用例定制的,当需要将 Envoy 当作边缘代理使用时,一些值需要做一些调整。
TCP 代理应该做如下配置:
HTTP 代理还应做如下额外的配置:
use_remote_address 的值为 true (为了避免消耗外部客户端的 HTTP 头部,详情可看 HTTP header 消耗 ),
连接和流超时 ,
HTTP/2 最大并发流限制 的值为 100,
HTTP/2 初始流窗口大小限制 的值为 64 KiB,
HTTP/2 初始连接窗口大小限制 的值为 1 MiB。
headers_with_underscores_action 设置 的值为 REJECT_REQUEST,为了防止上游服务认为 ‘_’ 和 ‘-‘ 是可互换的。
监听器连接限制 。
全局下游连接限制 。
下面内容是上述建议配置的一个 YAML 示例(摘自 Google VRP 边缘服务器配置):
overload_manager:
refresh_interval: 0.25s
resource_monitors:
- name: "envoy.resource_monitors.fixed_heap"
typed_config:
"@type": type.googleapis.com/envoy.config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig
# TODO: Tune for your system.
max_heap_size_bytes: 2147483648 # 2 GiB
actions:
- name: "envoy.overload_actions.shrink_heap"
triggers:
- name: "envoy.resource_monitors.fixed_heap"
threshold:
value: 0.95
- name: "envoy.overload_actions.stop_accepting_requests"
triggers:
- name: "envoy.resource_monitors.fixed_heap"
threshold:
value: 0.98
admin:
access_log_path: "/var/log/envoy_admin.log"
address:
socket_address:
address: 127.0.0.1
port_value: 9090
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 443
listener_filters:
- name: "envoy.filters.listener.tls_inspector"
typed_config: {}
per_connection_buffer_limit_bytes: 32768 # 32 KiB
filter_chains:
- filter_chain_match:
server_names: ["example.com", "www.example.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "certs/servercert.pem" }
private_key: { filename: "certs/serverkey.pem" }
# Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
# use_proxy_proto: true
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
use_remote_address: true
common_http_protocol_options:
idle_timeout: 3600s # 1 hour
headers_with_underscores_action: REJECT_REQUEST
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
route_config:
virtual_hosts:
- name: default
domains: "*"
routes:
- match: { prefix: "/" }
route:
cluster: service_foo
idle_timeout: 15s # must be disabled for long-lived and streaming requests
clusters:
name: service_foo
connect_timeout: 15s
per_connection_buffer_limit_bytes: 32768 # 32 KiB
load_assignment:
cluster_name: some_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 8080
http2_protocol_options:
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
layered_runtime:
layers:
- name: static_layer_0
static_layer:
envoy:
resource_limits:
listener:
example_listener_name:
connection_limit: 10000
overload:
global_downstream_max_connections: 50000