Add support to set proxy buffer size

CHANGELOG.md

@@ -27,6 +27,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 - Token Introspection Policy - Support `private_key_jwt` and `client_secret_jwt` authentication mode [PR #1464](https://github.com/3scale/APIcast/pull/1464) [THREESCALE-11015](https://issues.redhat.com/browse/THREESCALE-11015)
 
+- Added `APICAST_PROXY_BUFFER_SIZE` variable to allow configure the size of the buffer used for handling the response received from the proxied server. [PR #1473](https://github.com/3scale/APIcast/pull/1473), [THREESCALE-8410](https://issues.redhat.com/browse/THREESCALE-8410)
+
 ## [3.15.0] 2024-04-04
 
 ### Fixed

doc/parameters.md

@@ -524,6 +524,13 @@ directive](https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client
 
 Sets the maximum size of shared memory used by batcher policy. The accepted [size units](https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_shared_dict) are k and m.
 
+### `APICAST_PROXY_BUFFER_SIZE`
+
+**Default:** 4k|8k;
+**Value:** string
+
+Sets the size of the buffer used for handling the response received from the proxied server. This variable will set both [`proxy_buffer` NGINX directive](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) and [`proxy_buffer_size` NGINX directive](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size). By default, the buffer size is equal to one memory page. This is either 4K or 8K, depending on a platform.
+
 ### `OPENTELEMETRY`
 
 This environment variable enables NGINX instrumentation using OpenTelemetry tracing library.

gateway/apicast.d/buffers.conf

@@ -0,0 +1,5 @@
+{%- assign proxy_buffer_size = env.APICAST_PROXY_BUFFER_SIZE %}
+{% if proxy_buffer_size -%}
+  proxy_buffers 8 {{ proxy_buffer_size }};
+  proxy_buffer_size {{ proxy_buffer_size }};
+{%- endif %}

t/proxy-buffers.t

@@ -0,0 +1,86 @@
+use lib 't';
+use Test::APIcast::Blackbox 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: reject with 502 when upstream return large header (the header exceed the size
+of proxy_buffer_size)
+--- configuration env
+{
+  "services": [
+    {
+      "id": 42,
+      "backend_version":  1,
+      "backend_authentication_type": "service_token",
+      "backend_authentication_value": "token-value",
+      "proxy": {
+        "api_backend": "http://test:$TEST_NGINX_SERVER_PORT/",
+        "proxy_rules": [
+          { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
+        ]
+      }
+    }
+  ]
+}
+--- backend
+  location /transactions/authrep.xml {
+    content_by_lua_block {
+      ngx.exit(ngx.OK)
+    }
+  }
+--- upstream
+  location / {
+    content_by_lua_block {
+        ngx.header["X-Large-Header"] = string.rep("a", 2^12)
+    }
+  }
+--- request
+GET /?user_key=value
+--- error_code: 502
+--- error_log eval
+qr/upstream sent too big header while reading response header from upstream/
+
+
+=== TEST 2: large utream header with APICAST_PROXY_BUFFER_SIZE set to 8k
+--- env eval
+(
+  'APICAST_PROXY_BUFFER_SIZE' => '8k',
+)
+--- configuration env
+{
+  "services": [
+    {
+      "id": 42,
+      "backend_version":  1,
+      "backend_authentication_type": "service_token",
+      "backend_authentication_value": "token-value",
+      "proxy": {
+        "api_backend": "http://test:$TEST_NGINX_SERVER_PORT/",
+        "proxy_rules": [
+          { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
+        ]
+      }
+    }
+  ]
+}
+--- backend
+  location /transactions/authrep.xml {
+    content_by_lua_block {
+      ngx.exit(ngx.OK)
+    }
+  }
+--- upstream
+  location / {
+    content_by_lua_block {
+        ngx.header["X-Large-Header"] = string.rep("a", 2^12)
+    }
+  }
+--- request
+GET /?user_key=value
+--- response_headers eval
+"X-Large-Header: " . ("a" x 4096) . "\r\n\r\n"
+--- error_code: 200
+--- no_error_log
+[error]