Cloud-native gateways handle connections, compression, protocols, and security through a set of engine-level parameters. When default settings do not match your workload -- for example, HTTP/2 traffic needs larger flow-control windows, or a CDN sits in front of the gateway and obscures client IPs -- you can tune these parameters to improve throughput, reduce latency, and harden security.
Changing gateway parameters can disrupt active connections and affect running applications. Review the valid ranges and descriptions in this topic before you make changes.
Prerequisites
Before you begin, ensure that you have:
A cloud-native gateway. For more information, see Create a cloud-native gateway
Modify a parameter
Only parameters listed on the Parameter Settings page in the Microservices Engine (MSE) console can be modified. Set values within the ranges shown in the Ranges column.
-
Log on to the MSE console. In the top navigation bar, select a region.
-
In the left-side navigation pane, choose Cloud-native Gateway > Gateways.
-
On the Gateways page, click the ID of the gateway.
In the left-side navigation pane, click Parameter Settings.
In the Gateway Engine Parameters section, find the target parameter and click Edit in the Actions column.
In the Modify Parameters dialog box, set the value and click OK.
Gateway engine parameters
Parameters are organized into the following groups:
HTTP protocol settings -- HTTP/2, HTTP/3, and request ID generation
Compression settings -- Response compression algorithms
Connection management -- Idle timeouts and buffer sizes
Path normalization -- Slash merging and escaped character handling
Header and proxy settings -- Header case, trusted proxies, and CIDR blocks
Security and authentication -- TLS hardware acceleration, Proxy protocol, and auth config push
HTTP protocol settings
| Parameter | Type | Range | Default | Description |
|---|---|---|---|---|
| EnableHttp2 | bool | true, false | false | Enables HTTP/2 between client and gateway. Set to true if your clients support HTTP/2 and you want multiplexing and header compression. |
| EnableHttp3 | bool | true, false | false | Enables HTTP/3 (QUIC) for downstream connections. HTTP/3 reduces connection setup latency and improves performance on lossy networks. |
| EnableGenerateRequestId | bool | true, false | true | Generates an X-Request-Id header for each request. Keep enabled for request tracing and debugging. Disable only if your application generates its own request IDs. |
| DownstreamHttp2MaxConcurrentStream | integer | 0 - 2147483647 | 100 | Maximum concurrent streams per HTTP/2 connection. Higher values allow more parallel requests per connection but consume more memory. |
| InitialStreamWindowSize | integer | 0 - 2147483647 | 65535 | Initial HTTP/2 flow-control window size per stream, in bytes. The default (64 KB) follows the HTTP/2 specification. Increase for high-throughput streams to reduce flow-control overhead, but larger windows increase memory consumption per stream. |
| InitialConnectionWindowSize | integer | 0 - 2147483647 | 1048576 | Initial HTTP/2 flow-control window size per connection, in bytes. The default (1 MB) allows moderate throughput. Increase for connections that carry many parallel streams. |
Compression settings
| Parameter | Type | Range | Default | Description |
|---|---|---|---|---|
| EnableGzip | bool | true, false | false | Compresses responses before sending them to clients. Reduces bandwidth usage but increases gateway CPU load. Enable for text-heavy responses (JSON, HTML); leave disabled if the gateway is CPU-constrained. |
| ZipAlgorithm | List<string> | brotli, gzip | gzip | Compression algorithm. Brotli typically achieves better compression ratios than gzip at the cost of higher CPU usage. When both are selected and the Accept-Encoding header assigns equal priority (q values) to each, the algorithm listed first takes effect. Requires EnableGzip to be true. |
Example: Enable brotli with gzip fallback
Set EnableGzip to true and ZipAlgorithm to brotli, gzip. Clients that support brotli receive brotli-compressed responses; others receive gzip.
Connection management
| Parameter | Type | Range | Default | Description |
|---|---|---|---|---|
| DownstreamIdleTime | integer | 0 - 600 | 15 | Idle timeout for client-to-gateway connections, in seconds. If no requests arrive within this period, the gateway closes the connection. Lower values free resources faster; higher values reduce reconnection overhead for keep-alive clients. |
| UpstreamIdleTimeout | integer | 0 - 600 | 30 | Idle timeout for gateway-to-upstream connections, in seconds. If the gateway sends no requests to the backend within this period, it closes the connection. Set this higher than your backend's keep-alive timeout to avoid premature disconnections. |
| DownstreamConnectionBufferLimits | integer | 0 - 2147483647 | 32768 | Maximum buffer size per gateway connection, in bytes. Increasing this value allows the gateway to handle larger request or response bodies in memory but increases memory consumption. The default (32 KB) is suitable for most workloads. |
Path normalization
| Parameter | Type | Range | Default | Description |
|---|---|---|---|---|
| EnableSlashMerge | bool | true, false | false | Merges consecutive forward slashes (/) into a single slash. For example, www.example.com//b becomes www.example.com/b. Enable if your backend applications do not handle duplicate slashes correctly. |
| PathWithEscapedSlashes | string | KEEP_UNCHANGED, REJECT_REQUEST, UNESCAPE_AND_REDIRECT, UNESCAPE_AND_FORWARD | KEEP_UNCHANGED | Controls how the gateway handles requests whose URI contains escaped slash characters (%2F, %2f, %5C, %5c). |
PathWithEscapedSlashes values
| Value | Behavior |
|---|---|
| KEEP_UNCHANGED | Forwards the request as-is. |
| REJECT_REQUEST | Returns HTTP 400 and rejects the request. Use this to block path traversal attempts. |
| UNESCAPE_AND_REDIRECT | Unescapes the characters and sends a redirect to the normalized URI. |
| UNESCAPE_AND_FORWARD | Unescapes the characters and forwards the request to the backend. |
Header and proxy settings
| Parameter | Type | Range | Default | Description |
|---|---|---|---|---|
| PreserveHeaderFormat | bool | true, false | false | Preserves the original letter casing of HTTP/1.1 headers instead of converting them to lowercase. The default (false) converts all headers to lowercase for HTTP/1.1 and HTTP/2 compatibility. Set to true only if your backend requires case-sensitive headers. |
| XffTrustedNum | integer | 0 - 10 | 0 | Number of trusted proxy hops. The gateway uses this value to extract the real client IP address from the x-forwarded-for header. When set to 0, the gateway uses the peer socket IP as the client IP and writes it to the x-envoy-external-address header. When set to a non-zero value *n*, the gateway skips the rightmost *n* entries in x-forwarded-for (after appending the socket IP) to determine the real client IP. The x-request-id and x-forwarded-proto headers from the client are preserved unchanged. Related: EnableXffTrustedCidrs. |
| EnableXffTrustedCidrs | bool | true, false | false | Enables trusted CIDR blocks for frontend proxy services such as Web Application Firewall (WAF) and CDN. When enabled, the gateway extracts the real client IP from the x-forwarded-for header and skips IP addresses that fall within the trusted CIDR blocks. Related: XffTrustedNum. |
When to configure trusted proxies
If your traffic passes through a reverse proxy, CDN, or WAF before reaching the gateway, configure XffTrustedNum or EnableXffTrustedCidrs so that the gateway correctly identifies the real client IP. Without this configuration, the gateway treats the proxy IP as the client IP, which affects IP-based rate limiting and access control.
Use
XffTrustedNumwhen you know the exact number of proxy hops between the client and the gateway.Use
EnableXffTrustedCidrswhen the number of hops varies but you can define trusted CIDR ranges for your proxy infrastructure.
Security and authentication
| Parameter | Type | Range | Default | Description |
|---|---|---|---|---|
| EnableHardwareAccelerate | bool | true, false | true | Enables hardware-accelerated Transport Layer Security (TLS) encryption and decryption. Hardware acceleration offloads TLS processing from the CPU, improving throughput for HTTPS traffic. Takes effect only if hardware acceleration is available in the region and was selected when you purchased the gateway. |
| EnableProxyProtocol | bool | true, false | false | Enables the Proxy protocol. When a Network Load Balancer (NLB) is the ingress for traffic, enable this to obtain the real client IP address. Non-Proxy-protocol requests continue to work normally after you enable this setting. |
| EnableCustomAuthConfigPush | bool | true, false | false | Prevents connection drops when custom authentication rules change. Enable for WebSocket connections or other long-lived connections that should not be interrupted by authentication rule updates. |
Due to underlying hardware limitations, hardware acceleration (EnableHardwareAccelerate) is available only in the following regions: China (Beijing), China (Hangzhou), China (Shanghai), China (Shenzhen), and Singapore.