Layer7 API Management

Hi,

We're trying to actually figure out best practice to size limit responses, whatever content-type being returned.

Our setup: dual-mode gateway (DMZ and LAN), same configuration for both.

Call: GW DMZ -> HTTP Routing -> GW LAN -> HTTP Routing -> Web server -> xml file.

Scenario 1: using only HTTP Route calls.

actual value for io.xmlPartMaxBytes=2621440 (default).

no override on listener ports.

1st try:

• Limit msg size
• Calling DMZ gateway to retrieve a 1MB xml doc. Works, as usual.
• Trying with 3MB uncompressed xml doc: blocked at LAN Gateway. Sounds normal.
• Raised limit in HTTP Routing on LAN Gateway to 40MB.

• Trying again 3MB uncompressed xml doc: Works, although DMZ Gateway still has 2621440 default max size.

2nd try:

• Digging docs.
• Found some hints about io.httpResponseStreamUnlimited, true as default.
• Also set io.httpResponseStreaming to false just to check.
• Call is blocked on DMZ. But we're not streaming *globally* anymore if needed. Shame.

3rd try:

• io.httpResponseStreaming back to default "true".
• Call is somewhat not blocked.
• Streaming stops, but HTTP Route call returns HTTP/200 and does *not* fail.
• From logs:
  

  2019-05-03T18:08:19.705+0200 WARNING 300 com.l7tech.server.SoapMessageProcessingServlet: I/O error while processing message: Unable to read stream: the specified maximum data size limit would be exceeded

Problem is then:

• If streaming, my guess is obviously you can't change HTTP/200. Ok, fair enough, data has been partially sent.
• HTTP Route call should at least fail as this was a partial sending and return appropriate HTTP/207.

Scenario 2: using Limit assertion

Works.

Some thoughts:

• As we're never sure streaming will be activated for a particular response, how can we rely on HTTP Route's limit response size aprt from disabling *global* streaming ?
• As we're indeed "playing" with response in the policy, my guess is we are actively disabling streaming but only on this policy.

• Problem is we have already read the entire response before being able to compute its size, thus consuming Gateway ressources.

Seems nobody has an opinion here, so let's add even more thoughts

As we want to enforce SLAs and ask each project team to:

- give us estimated number of request per seconds

- give us estimated message size

In case message size is really big, let's say 10MB, we first ask project to activate gzip compression.

How can we enforce size limit, that take into account compressed bodies ?

From doc, can we assume:

- "Limit Message Size" is indeed done on uncompressed body

- Only way to inspect compressed body is to use "Response Size Limit" on the "HTTPS Route" assertion provided no assertion is used to inspect/modify response as it is stated in doc that:

Special note when working with compressed responses

Under normal conditions, the Response Size Limit applies to the compressed message size. But if there are assertions that must act on the uncompressed response (for example, Evaluate Regular Expression Assertion, Evaluate Response XPath Assertion, etc.), then the uncompressed response size applies. For example, the response size is set at 50KB and a 40KB compressed response arrives--that message passes normally. However if there are assertions that must act on the uncompressed response and the message expands to 90KB uncompressed, then it exceeds the 50KB size limit and the policy fails.

But then doc also says:

Note: The Response Size Limit setting takes effect only if the Gateway further processes the response message. This setting (as well as the io.xmlPartMaxBytes cluster property) does not apply if a response is streamed back to the client with no processing required by the Gateway. (Response streaming is controlled by the io.HttpResponseStreaming cluster property.) To limit the size of the message sent back to the client, use the Limit Message Size Assertion.

So questions are:

- What are really those "normal conditions" ?

- How to be 100% sure "Response Size Limit" is actually "enabled" and will be take into account a compressed body size ?

   - Is this setting dependent on "content-length" http header presence ?

   - on a dual Gateway scenario, how to stop streaming only between LAN and DMZ ?