Envoy: Large size of http2_protocol_options initial_stream_window_size causes send/read timeout on ALB/nginx upstream on large responses and slow clients

initial_stream_window_size is documented here https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/protocol.proto#envoy-api-field-core-http2protocoloptions-initial-connection-window-size and the relevant default size is here https://github.com/envoyproxy/envoy/blob/master/api/envoy/api/v2/core/protocol.proto

  // `Initial stream-level flow-control window
  // <https://httpwg.org/specs/rfc7540.html#rfc.section.6.9.2>`_ size. Valid values range from 65535
  // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456
  // (256 * 1024 * 1024).

We resolved this issue in two ways which can be used independently or together:

1. We raised the ALB timeout (or nginx if you are speaking to some other proxy type) from the default 60 to 300s+, during which time clients are more likely to read out enough data to cause Envoy's buffer to drop below a watermark needed to trigger further read events and thus reset the cluster/upstreams read timeout.

2. We lowered the initial_stream_window_size to something more sane like

            http2_protocol_options:
              initial_stream_window_size: 16777216

The added benefit here is we experience more consistent and lower memory usage, while we have not observed any performance degradation even on high speed clients.

See https://github.com/envoyproxy/envoy/pull/8001 where we are working on documenting more appropriate edge configurations.

@bmgoau should we close this out in favor of #8001?

@htuch cc @mattklein123 If this was closed in favor of #8001 I think we'd be cool, but before you do, please consider the following and let me know your thoughts:

1. It is likely that envoy will be used more and more in conjunction with nginx and ALBs (i mean, we all know it is already 😄 ) and other servers and proxies with default send_timeouts of 60s. And continue to gain popularity in a huge variety of use cases.
2. Large responses >250 MB are becoming more common in all environments.
3. 1-2 MB/s (8-16 Mbit/s) is not an uncommon speed among Broadband clients and especially mobile clients (even in North America, let alone globally). And those speeds are also very common in industrial settings and older management bands to remote equipment. They're slow, ill admit, but not _THAT_ slow.
4. Just as in #6727 constraining initial_stream_window_size has also decreased the number of sudden spikes in memory usage among our envoy instances: internal and edge proxies.

Taken altogether, we feel there is a case to be made for lowering the default size of initial_stream_window_size from 256 MB down to our current 16MB (or possibly even 1 MB) out of the box.

Since this issue was so easy to recreate with a default nginx or ALB config and basic envoy configuration, and a slow - but not _stupidly_ slow - client download we feel like this is a bit of a bug of _unfriendly defaults_, rather than just a document bug.

We understand that you, and the community, cannot make envoy suit 100% of use cases out of the box, and we wouldn't expect that at all. But we feel like the use case of envoy + >256 MB download + ALB/nginx (or really any server with a 60s send_timeout) + 1-2 MB/s client bandwidth is sufficiently common (or will become common) and not so esoteric, that it makes sense to adjust the default initial_stream_window_size down to say 1MB or 16 MB by default. To save people from themselves if you will... 😛

I'm not 100% sure where the low water mark is, but if it's around 50% then I think the math works out that with initial_stream_window_size=16MB and default nginx/haproxy/nginx config a client would need to be slower than 133 KB/s or 1 Mbit/s to trigger the issue we observed, which is several deviations below the median speed we see among our internet clients. (For reference our p50 measured speed of internet clients is 14 Mbit/s, dipping to ~5 Mbits in some parts of Africa, Asia and Oceania even with local well connected datacenters).

We're coming from a position of thousands of envoy instances, in many different scenarios (public edge, s2s, front-proxy, service-proxy, etc etc), 200M requests per day, 4 TB transferred per day.

Anyways, please consider the above in the spirit of upmost respect for your work, the project and shared positive intent.

Expect to see more code and doc contributions from us going forward - and not just issues haha.

Edit: I believe most haproxy client and server send timeouts are 60s by default too.

Sorry, one last comment:
In all the situations where we saw HPE_INVALID_EOF_STATE we also saw %RESPONSE_FLAGS% "-".

In situations where the response is 200 OK, but the server/proxy sends a partial response due to its send_timeout expiring, and thus envoy detects a protocol error (see debugs in my initial comment) and sends a RST_STREAM, it might be useful to have a flag show this:

200 OK
RESPONSE_FLAGS =

PR - partial response?
HI - HTTP response payload invalid?
H2R - we sent a http2 rst_stream?
SL - server response invalid length

I'm throwing out ideas here as you can tell.

Basically something to make these kinds of failures visible above the level of debug/trace.

(There are already metrics for flow control and http rst, we're talking about logs)

Also, I want to note it was our fault for relying on the defaults here instead of carefully adjusting them to our use case. We recognize that fully, but still humbly submit the above suggestions.

@bmgoau thanks for the detailed comments. We are definitely considering changing the defaults in future releases, and potentially having "profiles" but this is a really tricky topic as its impossible to make everyone happy.

re: the additional response flags if you could open a specific feature request issue on that it would be great. Thank you!

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.