-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce security to prevent churn and connection exhausting #16
Comments
This is a good one! 2 questions: |
Yeah, great. Go for k8s. |
Perfect, Digital Ocean Kubernetes Engine it is. I feel that this Twitter thread with @evoxmusic is also related. Do those problems resonate with you @stefano-vardanega? |
Good 👍 |
Feel free to share your thoughts on the above @Gsantomaggio 😉 |
Oh ! that's an interesting topic. There is also Istio Traffic Management, here an example with RabbitMQ. The same with HA-Proxy, we can also play with the TCP Backlog queues and TIME_WAIT. |
Istio will be a good one to start with, but I expect performance to become an issue soon. Let's measure and see if HAproxy is as good as it claims. |
Just a thought ... It would drop / avoid ddos attach or not valid connections |
That sounds like a great R&D project, I'm thinking longer-term. I bet @essen would be interested in eBPF too. Short-term, we should definitely lean on Envoy/Istio & maybe HAproxy as a first step, then iterate towards eBPF. |
I'd like to add that the standard k8s ingress supports only HTTP(s) so it is ok for management UI and not for the amqp. It should be possible to use the SNI TLS extension to manage the traffic. HAProxy, Traefik etc support TLS with SNI and also the strict sni policy Here an example of amqps with SNI: This is still work in progress btw! |
Looking great Gabriele, this will be a great TGIR 👍🏻 Would you find it useful to fork and start preparing the setup? I would recommend starting from the S01E07 branch (soon to be merged & deleted) so that we can hit the ground running 😉 |
Ok, I did some test with Traefik using SNI and strict sni configuration, using a configuration like this:
we can use the same IP address and handle different rabbitmq clusters. We have to finish it and test it, for the moment the configuration it seems to work correctly |
HAProxy, load balancer, socket tuning ?
The text was updated successfully, but these errors were encountered: