# Envoy config for the VULNERABLE configuration (CVE-2024-53271).
#
# Runs on envoyproxy/envoy:v1.32.2 (affected). The layered_runtime static
# layer sets the two flags that put the BALSA HTTP/1.1 parser into the
# state where MessageDone() runs twice for a 1xx-then-final exchange:
#   http1_balsa_delay_reset = true                  (affected default)
#   wait_for_first_byte_before_balsa_msg_done = false  (idempotency guard OFF)
#
# Downstream HTTP/1.1 listener on :10000. Two routes select the upstream:
#   /trigger -> upstream_102   (102 Processing then 200; fires the bug)
#   /plain   -> upstream_plain (200 only; liveness path)
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 10000 }
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          codec_type: HTTP1
          http_protocol_options: {}
          route_config:
            name: local_route
            virtual_hosts:
            - name: backend
              domains: ["*"]
              routes:
              - match: { prefix: "/trigger" }
                route:
                  cluster: upstream_102
                  prefix_rewrite: "/"
              - match: { prefix: "/plain" }
                route:
                  cluster: upstream_plain
                  prefix_rewrite: "/"
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: upstream_102
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http_protocol_options: {}
    load_assignment:
      cluster_name: upstream_102
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: { address: upstream-102, port_value: 8080 }
  - name: upstream_plain
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http_protocol_options: {}
    load_assignment:
      cluster_name: upstream_plain
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: { address: upstream-plain, port_value: 8080 }

layered_runtime:
  layers:
  - name: static_layer
    static_layer:
      envoy.reloadable_features.http1_balsa_delay_reset: true
      envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done: false

admin:
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }