.. _best_practices_edge: Configuring Envoy as an edge proxy ================================== Envoy is a production-ready edge proxy, however, the default settings are tailored for the service mesh use case, and some values need to be adjusted when using Envoy as an edge proxy. TCP proxies should configure: * restrict access to the admin endpoint, * :ref:`overload_manager `, * :ref:`listener buffer limits ` to 32 KiB, * :ref:`cluster buffer limits ` to 32 KiB. HTTP proxies should additionally configure: * :ref:`use_remote_address ` to true (to avoid consuming HTTP headers from external clients, see :ref:`HTTP header sanitizing ` for details), * :ref:`connection and stream timeouts `, * :ref:`HTTP/2 maximum concurrent streams limit ` to 100, * :ref:`HTTP/2 initial stream window size limit ` to 64 KiB, * :ref:`HTTP/2 initial connection window size limit ` to 1 MiB. * :ref:`headers_with_underscores_action setting ` to REJECT_REQUEST, to protect upstream services that treat '_' and '-' as interchangeable. * :ref:`Listener connection limits. ` * :ref:`Global downstream connection limits `. The following is a YAML example of the above recommendation (taken from the :ref:`Google VRP ` edge server configuration): .. literalinclude:: _include/edge.yaml :language: yaml