From 7ef57d117cf4904f92202b51705bfb818e0b1b4a Mon Sep 17 00:00:00 2001 From: Anirudha Singh Date: Mon, 12 Apr 2021 09:30:45 +0000 Subject: [PATCH 1/5] [http]: raise max_request_headers_kb limit to 8192 KiB (8MiB) from 96 KiB in http connection manager proto. Add/Update relevant unit tests and integration tests. Signed-off-by: Anirudha Singh --- .../v2/http_connection_manager.proto | 4 +- .../v3/http_connection_manager.proto | 4 +- .../v4alpha/http_connection_manager.proto | 4 +- .../v2/http_connection_manager.proto | 4 +- .../v3/http_connection_manager.proto | 4 +- .../v4alpha/http_connection_manager.proto | 4 +- test/common/http/http1/codec_impl_test.cc | 59 +++++++++++++++++-- test/common/http/http2/codec_impl_test.cc | 9 ++- .../http_connection_manager/config_test.cc | 4 +- test/integration/protocol_integration_test.cc | 14 ++++- 10 files changed, 79 insertions(+), 31 deletions(-) diff --git a/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto index c05032df21a4d..3e7a4dc17769c 100644 --- a/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +++ b/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto @@ -299,10 +299,8 @@ message HttpConnectionManager { // The maximum request headers size for incoming connections. // If unconfigured, the default max request headers allowed is 60 KiB. // Requests that exceed this limit will receive a 431 response. - // The max configurable limit is 96 KiB, based on current implementation - // constraints. google.protobuf.UInt32Value max_request_headers_kb = 29 - [(validate.rules).uint32 = {lte: 96 gt: 0}]; + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; // The idle timeout for connections managed by the connection manager. The // idle timeout is defined as the period in which there are no active diff --git a/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto index 51c4e229f1375..6d8f1b7d1a0bd 100644 --- a/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +++ b/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -343,10 +343,8 @@ message HttpConnectionManager { // The maximum request headers size for incoming connections. // If unconfigured, the default max request headers allowed is 60 KiB. // Requests that exceed this limit will receive a 431 response. - // The max configurable limit is 96 KiB, based on current implementation - // constraints. google.protobuf.UInt32Value max_request_headers_kb = 29 - [(validate.rules).uint32 = {lte: 96 gt: 0}]; + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; // The stream idle timeout for connections managed by the connection manager. // If not specified, this defaults to 5 minutes. The default value was selected diff --git a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto b/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto index d442451cdae62..a2afdeb9a074f 100644 --- a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto +++ b/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto @@ -346,10 +346,8 @@ message HttpConnectionManager { // The maximum request headers size for incoming connections. // If unconfigured, the default max request headers allowed is 60 KiB. // Requests that exceed this limit will receive a 431 response. - // The max configurable limit is 96 KiB, based on current implementation - // constraints. google.protobuf.UInt32Value max_request_headers_kb = 29 - [(validate.rules).uint32 = {lte: 96 gt: 0}]; + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; // The stream idle timeout for connections managed by the connection manager. // If not specified, this defaults to 5 minutes. The default value was selected diff --git a/generated_api_shadow/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/generated_api_shadow/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto index c05032df21a4d..3e7a4dc17769c 100644 --- a/generated_api_shadow/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +++ b/generated_api_shadow/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto @@ -299,10 +299,8 @@ message HttpConnectionManager { // The maximum request headers size for incoming connections. // If unconfigured, the default max request headers allowed is 60 KiB. // Requests that exceed this limit will receive a 431 response. - // The max configurable limit is 96 KiB, based on current implementation - // constraints. google.protobuf.UInt32Value max_request_headers_kb = 29 - [(validate.rules).uint32 = {lte: 96 gt: 0}]; + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; // The idle timeout for connections managed by the connection manager. The // idle timeout is defined as the period in which there are no active diff --git a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto index 66a75d3aefcbe..36340a1546f22 100644 --- a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +++ b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -349,10 +349,8 @@ message HttpConnectionManager { // The maximum request headers size for incoming connections. // If unconfigured, the default max request headers allowed is 60 KiB. // Requests that exceed this limit will receive a 431 response. - // The max configurable limit is 96 KiB, based on current implementation - // constraints. google.protobuf.UInt32Value max_request_headers_kb = 29 - [(validate.rules).uint32 = {lte: 96 gt: 0}]; + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; // The stream idle timeout for connections managed by the connection manager. // If not specified, this defaults to 5 minutes. The default value was selected diff --git a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto index d442451cdae62..a2afdeb9a074f 100644 --- a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto +++ b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto @@ -346,10 +346,8 @@ message HttpConnectionManager { // The maximum request headers size for incoming connections. // If unconfigured, the default max request headers allowed is 60 KiB. // Requests that exceed this limit will receive a 431 response. - // The max configurable limit is 96 KiB, based on current implementation - // constraints. google.protobuf.UInt32Value max_request_headers_kb = 29 - [(validate.rules).uint32 = {lte: 96 gt: 0}]; + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; // The stream idle timeout for connections managed by the connection manager. // If not specified, this defaults to 5 minutes. The default value was selected diff --git a/test/common/http/http1/codec_impl_test.cc b/test/common/http/http1/codec_impl_test.cc index e8dd865582394..e3df9404dd798 100644 --- a/test/common/http/http1/codec_impl_test.cc +++ b/test/common/http/http1/codec_impl_test.cc @@ -48,6 +48,15 @@ std::string createHeaderFragment(int num_headers) { return headers; } +std::string createLargeHeaderFragment(int num_headers) { + // Create a header field with num_headers headers with each header of size ~64 KiB. + std::string headers; + for (int i = 0; i < num_headers; i++) { + headers += "header" + std::to_string(i) + ": " + std::string(64 * 1024, 'q') + "\r\n"; + } + return headers; +} + Buffer::OwnedImpl createBufferWithNByteSlices(absl::string_view input, size_t max_slice_size) { Buffer::OwnedImpl buffer; for (size_t offset = 0; offset < input.size(); offset += max_slice_size) { @@ -2858,6 +2867,12 @@ TEST_F(Http1ServerConnectionImplTest, LargeRequestHeadersRejected) { testRequestHeadersExceedLimit(long_string, "headers size exceeds limit", ""); } +TEST_F(Http1ServerConnectionImplTest, LargeRequestHeadersRejectedBeyondMaxConfigurable) { + max_request_headers_kb_ = 8192; + std::string long_string = "big: " + std::string(8193 * 1024, 'q') + "\r\n"; + testRequestHeadersExceedLimit(long_string, "headers size exceeds limit", ""); +} + // Tests that the default limit for the number of request headers is 100. TEST_F(Http1ServerConnectionImplTest, ManyRequestHeadersRejected) { // Send a request with 101 headers. @@ -2894,6 +2909,36 @@ TEST_F(Http1ServerConnectionImplTest, LargeRequestHeadersSplitRejected) { EXPECT_EQ("http1.headers_too_large", response_encoder->getStream().responseDetails()); } +TEST_F(Http1ServerConnectionImplTest, LargeRequestHeadersSplitRejectedMaxConfigurable) { + max_request_headers_kb_ = 8192; + max_request_headers_count_ = 150; + initialize(); + + std::string exception_reason; + NiceMock decoder; + Http::ResponseEncoder* response_encoder = nullptr; + EXPECT_CALL(callbacks_, newStream(_, _)) + .WillOnce(Invoke([&](ResponseEncoder& encoder, bool) -> RequestDecoder& { + response_encoder = &encoder; + return decoder; + })); + Buffer::OwnedImpl buffer("GET / HTTP/1.1\r\n"); + auto status = codec_->dispatch(buffer); + + std::string long_string = std::string(64 * 1024, 'q'); + for (int i = 0; i < 127; i++) { + buffer = Buffer::OwnedImpl(fmt::format("big: {}\r\n", long_string)); + status = codec_->dispatch(buffer); + } + // the 128th 64kb header should induce overflow + buffer = Buffer::OwnedImpl(fmt::format("big: {}\r\n", long_string)); + EXPECT_CALL(decoder, sendLocalReply(_, _, _, _, _, _)); + status = codec_->dispatch(buffer); + EXPECT_TRUE(isCodecProtocolError(status)); + EXPECT_EQ(status.message(), "headers size exceeds limit"); + EXPECT_EQ("http1.headers_too_large", response_encoder->getStream().responseDetails()); +} + // Tests that the 101th request header causes overflow with the default max number of request // headers. TEST_F(Http1ServerConnectionImplTest, ManyRequestHeadersSplitRejected) { @@ -2924,14 +2969,14 @@ TEST_F(Http1ServerConnectionImplTest, ManyRequestHeadersSplitRejected) { } TEST_F(Http1ServerConnectionImplTest, LargeRequestHeadersAccepted) { - max_request_headers_kb_ = 65; - std::string long_string = "big: " + std::string(64 * 1024, 'q') + "\r\n"; + max_request_headers_kb_ = 4096; + std::string long_string = "big: " + std::string(1024 * 1024, 'q') + "\r\n"; testRequestHeadersAccepted(long_string); } TEST_F(Http1ServerConnectionImplTest, LargeRequestHeadersAcceptedMaxConfigurable) { - max_request_headers_kb_ = 96; - std::string long_string = "big: " + std::string(95 * 1024, 'q') + "\r\n"; + max_request_headers_kb_ = 8192; + std::string long_string = "big: " + std::string(8191 * 1024, 'q') + "\r\n"; testRequestHeadersAccepted(long_string); } @@ -2942,6 +2987,12 @@ TEST_F(Http1ServerConnectionImplTest, ManyRequestHeadersAccepted) { testRequestHeadersAccepted(createHeaderFragment(150)); } +TEST_F(Http1ServerConnectionImplTest, ManyLargeRequestHeadersAccepted) { + max_request_headers_kb_ = 8192; + // Create a request with 64 headers, each header of size ~64 KiB. Total size ~4MB. + testRequestHeadersAccepted(createLargeHeaderFragment(64)); +} + // Tests that incomplete response headers of 80 kB header value fails. TEST_F(Http1ClientConnectionImplTest, ResponseHeadersWithLargeValueRejected) { initialize(); diff --git a/test/common/http/http2/codec_impl_test.cc b/test/common/http/http2/codec_impl_test.cc index b6bdf85aa97e8..f6327caaa71bf 100644 --- a/test/common/http/http2/codec_impl_test.cc +++ b/test/common/http/http2/codec_impl_test.cc @@ -2176,15 +2176,14 @@ TEST_P(Http2CodecImplTest, ManyLargeRequestHeadersUnderPerHeaderLimit) { } TEST_P(Http2CodecImplTest, LargeRequestHeadersAtMaxConfigurable) { - // Raising the limit past this triggers some unexpected nghttp2 error. - // Further debugging required to increase past ~96 KiB. - max_request_headers_kb_ = 96; + max_request_headers_kb_ = 8192; + max_request_headers_count_ = 150; initialize(); TestRequestHeaderMapImpl request_headers; HttpTestUtility::addDefaultHeaders(request_headers); - std::string long_string = std::string(1024, 'q'); - for (int i = 0; i < 95; i++) { + std::string long_string = std::string(63 * 1024, 'q'); + for (int i = 0; i < 129; i++) { request_headers.addCopy(std::to_string(i), long_string); } diff --git a/test/extensions/filters/network/http_connection_manager/config_test.cc b/test/extensions/filters/network/http_connection_manager/config_test.cc index 40ec2c38e4f98..b3ee4ccc3f402 100644 --- a/test/extensions/filters/network/http_connection_manager/config_test.cc +++ b/test/extensions/filters/network/http_connection_manager/config_test.cc @@ -687,7 +687,7 @@ TEST_F(HttpConnectionManagerConfigTest, MaxRequestHeadersKbConfigured) { TEST_F(HttpConnectionManagerConfigTest, MaxRequestHeadersKbMaxConfigurable) { const std::string yaml_string = R"EOF( stat_prefix: ingress_http - max_request_headers_kb: 96 + max_request_headers_kb: 8192 route_config: name: local_route http_filters: @@ -698,7 +698,7 @@ TEST_F(HttpConnectionManagerConfigTest, MaxRequestHeadersKbMaxConfigurable) { date_provider_, route_config_provider_manager_, scoped_routes_config_provider_manager_, http_tracer_manager_, filter_config_provider_manager_); - EXPECT_EQ(96, config.maxRequestHeadersKb()); + EXPECT_EQ(8192, config.maxRequestHeadersKb()); } // Validated that an explicit zero stream idle timeout disables. diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 36e048b10bc37..78281d105b7a7 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -1578,11 +1578,21 @@ TEST_P(DownstreamProtocolIntegrationTest, LargeRequestHeadersRejected) { testLargeRequestHeaders(95, 1, 60, 100); } +TEST_P(DownstreamProtocolIntegrationTest, VeryLargeRequestHeadersRejected) { + // Send one very large 2048 kB (2 MB) header with limit 1024 kB (1 MB) and 100 headers. + testLargeRequestHeaders(2048, 1, 1024, 100); +} + TEST_P(DownstreamProtocolIntegrationTest, LargeRequestHeadersAccepted) { EXCLUDE_DOWNSTREAM_HTTP3 EXCLUDE_UPSTREAM_HTTP3; // requires configurable header limits. - // Send one 95 kB header with limit 96 kB and 100 headers. - testLargeRequestHeaders(95, 1, 96, 100); + // Send one 100 kB header with limit 8192 kB (8 MB) and 100 headers. + testLargeRequestHeaders(100, 1, 8192, 100); +} + +TEST_P(DownstreamProtocolIntegrationTest, ManyLargeRequestHeadersAccepted) { + // Send 70 headers each of size 100 kB with limit 8192 kB (8 MB) and 100 headers. + testLargeRequestHeaders(100, 70, 8192, 100); } TEST_P(DownstreamProtocolIntegrationTest, ManyRequestHeadersRejected) { From fbd86b9d2426aa1aafda3fc9e514829f1cfbc4bf Mon Sep 17 00:00:00 2001 From: Anirudha Singh Date: Tue, 13 Apr 2021 17:08:53 +0000 Subject: [PATCH 2/5] http: Avoid http3 protocol integration test for many large request-headers case. Signed-off-by: Anirudha Singh --- test/integration/protocol_integration_test.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 78281d105b7a7..797bafaa8d121 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -1591,6 +1591,8 @@ TEST_P(DownstreamProtocolIntegrationTest, LargeRequestHeadersAccepted) { } TEST_P(DownstreamProtocolIntegrationTest, ManyLargeRequestHeadersAccepted) { + EXCLUDE_DOWNSTREAM_HTTP3 + EXCLUDE_UPSTREAM_HTTP3; // Send 70 headers each of size 100 kB with limit 8192 kB (8 MB) and 100 headers. testLargeRequestHeaders(100, 70, 8192, 100); } From 497b1282ef0894339406c7d3306d1c2969907dae Mon Sep 17 00:00:00 2001 From: Anirudha Singh Date: Wed, 14 Apr 2021 13:35:43 +0000 Subject: [PATCH 3/5] http: Avoid http3 protocol integration test for very-large request-headers rejected test case. Add release notes for these changes. Signed-off-by: Anirudha Singh --- docs/root/version_history/current.rst | 1 + test/integration/protocol_integration_test.cc | 2 ++ 2 files changed, 3 insertions(+) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 982f985d6d122..43890011a1edf 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -103,6 +103,7 @@ Bug Fixes * upstream: fix handling of moving endpoints between priorities when active health checks are enabled. Previously moving to a higher numbered priority was a NOOP, and moving to a lower numbered priority caused an abort. * upstream: retry budgets will now set default values for xDS configurations. * zipkin: fix 'verbose' mode to emit annotations for stream events. This was the documented behavior, but wasn't behaving as documented. +* http: Raise max configurable max_request_headers_kb limit to 8192 KiB (8MiB) from 96 KiB in http connection manager. Removed Config or Runtime ------------------------- diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 797bafaa8d121..4c11c2c4e29e2 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -1579,6 +1579,8 @@ TEST_P(DownstreamProtocolIntegrationTest, LargeRequestHeadersRejected) { } TEST_P(DownstreamProtocolIntegrationTest, VeryLargeRequestHeadersRejected) { + EXCLUDE_DOWNSTREAM_HTTP3 + EXCLUDE_UPSTREAM_HTTP3; // Send one very large 2048 kB (2 MB) header with limit 1024 kB (1 MB) and 100 headers. testLargeRequestHeaders(2048, 1, 1024, 100); } From 75f5499da017eb441d6dd2f7b350339c0b880dfb Mon Sep 17 00:00:00 2001 From: Anirudha Singh Date: Wed, 14 Apr 2021 15:07:50 +0000 Subject: [PATCH 4/5] http: corrected format error in release notes file Signed-off-by: Anirudha Singh --- docs/root/version_history/current.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 43890011a1edf..c3d3fd268d628 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -92,6 +92,7 @@ Bug Fixes * http: disallowing "host:" in request_headers_to_add for behavioral consistency with rejecting :authority header. This behavior can be temporarily reverted by setting `envoy.reloadable_features.treat_host_like_authority` to false. * http: fixed an issue where Enovy did not handle peer stream limits correctly, and queued streams in nghttp2 rather than establish new connections. This behavior can be temporarily reverted by setting `envoy.reloadable_features.improved_stream_limit_handling` to false. * http: fixed a bug where setting :ref:`MaxStreamDuration proto ` did not disable legacy timeout defaults. +* http: raise max configurable max_request_headers_kb limit to 8192 KiB (8MiB) from 96 KiB in http connection manager. * http: reverting a behavioral change where upstream connect timeouts were temporarily treated differently from other connection failures. The change back to the original behavior can be temporarily reverted by setting `envoy.reloadable_features.treat_upstream_connect_timeout_as_connect_failure` to false. * jwt_authn: reject requests with a proper error if JWT has the wrong issuer when allow_missing is used. Before this change, the requests are accepted. * listener: prevent crashing when an unknown listener config proto is received and debug logging is enabled. @@ -103,7 +104,6 @@ Bug Fixes * upstream: fix handling of moving endpoints between priorities when active health checks are enabled. Previously moving to a higher numbered priority was a NOOP, and moving to a lower numbered priority caused an abort. * upstream: retry budgets will now set default values for xDS configurations. * zipkin: fix 'verbose' mode to emit annotations for stream events. This was the documented behavior, but wasn't behaving as documented. -* http: Raise max configurable max_request_headers_kb limit to 8192 KiB (8MiB) from 96 KiB in http connection manager. Removed Config or Runtime ------------------------- From d99a86b6c6428626a355ba89f0ebef08adbc1395 Mon Sep 17 00:00:00 2001 From: Anirudha Singh Date: Sat, 24 Apr 2021 09:29:00 +0000 Subject: [PATCH 5/5] http: Updating current version history to avoid merge conflict with latest upstream main Signed-off-by: Anirudha Singh --- docs/root/version_history/current.rst | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index cea9847f98799..eab32d4524dab 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -19,33 +19,7 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* -* active http health checks: properly handles HTTP/2 GOAWAY frames from the upstream. Previously a GOAWAY frame due to a graceful listener drain could cause improper failed health checks due to streams being refused by the upstream on a connection that is going away. To revert to old GOAWAY handling behavior, set the runtime feature `envoy.reloadable_features.health_check.graceful_goaway_handling` to false. -* adaptive concurrency: fixed a bug where concurrent requests on different worker threads could update minRTT back-to-back. -* buffer: tighten network connection read and write buffer high watermarks in preparation to more careful enforcement of read limits. Buffer high-watermark is now set to the exact configured value; previously it was set to value + 1. -* cdn_loop: check that the entirety of the :ref:`cdn_id ` field is a valid CDN identifier. -* cds: fix blocking the update for a warming cluster when the update is the same as the active version. -* ext_authz: emit :ref:`CheckResponse.dynamic_metadata ` when the external authorization response has "Denied" check status. -* fault injection: stop counting as active fault after delay elapsed. Previously fault injection filter continues to count the injected delay as an active fault even after it has elapsed. This produces incorrect output statistics and impacts the max number of consecutive faults allowed (e.g., for long-lived streams). This change decreases the active fault count when the delay fault is the only active and has gone finished. -* filter_chain: fix filter chain matching with the server name as the case-insensitive way. -* grpc-web: fix local reply and non-proto-encoded gRPC response handling for small response bodies. This fix can be temporarily reverted by setting `envoy.reloadable_features.grpc_web_fix_non_proto_encoded_response_handling` to false. -* grpc_http_bridge: the downstream HTTP status is now correctly set for trailers-only responses from the upstream. -* header map: pick the right delimiter to append multiple header values to the same key. Previouly header with multiple values are coalesced with ",", after this fix cookie headers should be coalesced with " ;". This doesn't affect Http1 or Http2 requests because these 2 codecs coalesce cookie headers before adding it to header map. To revert to the old behavior, set the runtime feature `envoy.reloadable_features.header_map_correctly_coalesce_cookies` to false. -* http: avoid grpc-status overwrite on Http::Utility::sendLocalReply() if that field has already been set. -* http: disallowing "host:" in request_headers_to_add for behavioral consistency with rejecting :authority header. This behavior can be temporarily reverted by setting `envoy.reloadable_features.treat_host_like_authority` to false. -* http: fixed an issue where Enovy did not handle peer stream limits correctly, and queued streams in nghttp2 rather than establish new connections. This behavior can be temporarily reverted by setting `envoy.reloadable_features.improved_stream_limit_handling` to false. -* http: fixed a bug where setting :ref:`MaxStreamDuration proto ` did not disable legacy timeout defaults. * http: raise max configurable max_request_headers_kb limit to 8192 KiB (8MiB) from 96 KiB in http connection manager. -* http: reverting a behavioral change where upstream connect timeouts were temporarily treated differently from other connection failures. The change back to the original behavior can be temporarily reverted by setting `envoy.reloadable_features.treat_upstream_connect_timeout_as_connect_failure` to false. -* jwt_authn: reject requests with a proper error if JWT has the wrong issuer when allow_missing is used. Before this change, the requests are accepted. -* listener: prevent crashing when an unknown listener config proto is received and debug logging is enabled. -* mysql_filter: improve the codec ability of mysql filter at connection phase, it can now decode MySQL5.7+ connection phase protocol packet. -* overload: fix a bug that can cause use-after-free when one scaled timer disables another one with the same duration. -* sni: as the server name in sni should be case-insensitive, envoy will convert the server name as lower case first before any other process inside envoy. -* tls: fix the subject alternative name of the presented certificate matches the specified matchers as the case-insensitive way when it uses DNS name. -* tls: fix issue where OCSP was inadvertently removed from SSL response in multi-context scenarios. -* upstream: fix handling of moving endpoints between priorities when active health checks are enabled. Previously moving to a higher numbered priority was a NOOP, and moving to a lower numbered priority caused an abort. -* upstream: retry budgets will now set default values for xDS configurations. -* zipkin: fix 'verbose' mode to emit annotations for stream events. This was the documented behavior, but wasn't behaving as documented. * validation: fix an issue that causes TAP sockets to panic during config validation mode. * xray: fix the default sampling 'rate' for AWS X-Ray tracer extension to be 5% as opposed to 50%. * zipkin: fix timestamp serializaiton in annotations. A prior bug fix exposed an issue with timestamps being serialized as strings.