Add HTTP header size and limit configuration to server.http section

[Copilot]

This PR implements comprehensive HTTP header configuration for Apollo Router, addressing the need for configurable header limits similar to Node.js's --max-http-header-size option.

Changes

New Configuration Options

Added new HTTP header configuration fields to the server.http section:

server:
  http:
    # Maximum size of individual header field (name + value)
    # Similar to Node.js --max-http-header-size
    max_header_size: "32kb"
    
    # Maximum number of headers per request (HTTP/1.1)
    max_headers: 250
    
    # Maximum total size of all headers combined (HTTP/2)
    max_header_list_size: "64kb"
    
    # Header read timeout (all HTTP versions)
    header_read_timeout: "15s"

Protocol-Aware Implementation

The implementation provides proper protocol-specific handling:

• HTTP/1.1: Uses max_headers for header count limits and integrates with existing buffer-based limits
• HTTP/2: Uses max_header_size for individual header limits and max_header_list_size for total header payload limits
• TLS/ALPN: Enhanced HTTP/2 detection and configuration based on negotiated protocol

Backward Compatibility

Maintains full backward compatibility with existing limits configuration:

# Legacy configuration continues to work
limits:
  http1_max_request_headers: 200
  http1_max_request_buf_size: "800kb"

# New configuration takes precedence when specified
server:
  http:
    max_headers: 250  # Overrides limits.http1_max_request_headers
    max_header_size: "32kb"  # New capability

Implementation Details

• Configuration parsing: Added new fields to ServerHttpConfig with proper serde attributes and JSON schema support
• HTTP server integration: Updated serve_router_on_listen_addr to apply configuration to both HTTP/1.1 and HTTP/2 connections
• Precedence logic: Implemented get_effective_http_config helper for backward compatibility
• Enhanced TLS handling: Improved HTTP/2 configuration when ALPN negotiates HTTP/2

Testing and Documentation

• Added comprehensive unit tests covering all configuration scenarios
• Updated request limits documentation with usage examples
• Included migration examples for existing deployments
• Added validation for invalid configurations

Benefits

1. Node.js compatibility: max_header_size works similarly to Node.js --max-http-header-size
2. Protocol awareness: Different configurations for HTTP/1.1 vs HTTP/2
3. Granular control: Separate limits for individual header size, header count, and total payload
4. Zero breaking changes: Full backward compatibility with existing configurations
5. Centralized configuration: All HTTP server settings in one logical location

This allows users to configure header limits beyond the default 16kb Hyper limit mentioned in the issue, providing both YAML configuration and fine-grained control over HTTP header processing.

Fixes #5277.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

@smyrick 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

[apollo-cla]

@Copilot: Thank you for submitting a pull request! Before we can merge it, you'll need to sign the Apollo Contributor License Agreement here: https://contribute.apollographql.com/

[apollo-librarian]

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 1 changed, 0 removed

* graphos/routing/(latest)/security/request-limits.mdx

Build ID: da4aa5aa1da3a67c1c6f4f71
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/da4aa5aa1da3a67c1c6f4f71

[github-actions]

@Copilot, please consider creating a changeset entry in /.changesets/. These instructions describe the process and tooling.