# Envoy config for the NON-VULNERABLE baseline (CVE-2024-53271).
#
# Runs on envoyproxy/envoy:v1.32.3 (fixed). For belt-and-suspenders the
# layered_runtime also sets the mitigating flag explicitly, so this is
# both "fixed version" and "mitigating flag set":
#   http1_balsa_delay_reset = false                  (mitigation)
#   wait_for_first_byte_before_balsa_msg_done = true (idempotency guard ON)
# The identical probe must complete cleanly at ~100% here.
#
# Same topology as the vulnerable proxy: downstream HTTP/1.1 :10000 with
#   /trigger -> upstream_102   (102 Processing then 200)
#   /plain   -> upstream_plain (200 only; liveness path)
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 10000 }
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          codec_type: HTTP1
          http_protocol_options: {}
          route_config:
            name: local_route
            virtual_hosts:
            - name: backend
              domains: ["*"]
              routes:
              - match: { prefix: "/trigger" }
                route:
                  cluster: upstream_102
                  prefix_rewrite: "/"
              - match: { prefix: "/plain" }
                route:
                  cluster: upstream_plain
                  prefix_rewrite: "/"
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: upstream_102
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http_protocol_options: {}
    load_assignment:
      cluster_name: upstream_102
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: { address: upstream-102, port_value: 8080 }
  - name: upstream_plain
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http_protocol_options: {}
    load_assignment:
      cluster_name: upstream_plain
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: { address: upstream-plain, port_value: 8080 }

layered_runtime:
  layers:
  - name: static_layer
    static_layer:
      envoy.reloadable_features.http1_balsa_delay_reset: false
      envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done: true

admin:
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }