Enforce security to prevent churn and connection exhausting

[stefano-vardanega]

HAProxy, load balancer, socket tuning ?

[gerhard]

This is a good one! 2 questions:

1. Can we agree on K8S as the baseline?
   Ingress makes this much easier to capture, follow along & keep it relevant for longer-term.

2. Any specific K8S that you would consider using for RabbitMQ?
   Apparently there are 168+ to choose from 🤯
   We have covered GKE & DKE already, but LKE & SKE are equally easy.

[stefano-vardanega]

Yeah, great. Go for k8s.
I personally use Digital Ocean k8s to publish an MQTTS on 8883, but without ingress. So I'm greatly interested in DO ;).

[gerhard]

Perfect, Digital Ocean Kubernetes Engine it is.

I feel that this Twitter thread with @evoxmusic is also related. Do those problems resonate with you @stefano-vardanega?

[stefano-vardanega]

Good 👍
That's exactly my current concerns!

[gerhard]

Feel free to share your thoughts on the above @Gsantomaggio 😉

[Gsantomaggio]

Oh ! that's an interesting topic.

There is also Istio Traffic Management, here an example with RabbitMQ.

The same with HA-Proxy, we can also play with the TCP Backlog queues and TIME_WAIT.

[gerhard]

Istio will be a good one to start with, but I expect performance to become an issue soon. Let's measure and see if HAproxy is as good as it claims.

[Gsantomaggio]

Just a thought ...
Would be interesting to try to implement an XDP_DROP

It would drop / avoid ddos attach or not valid connections

interesting post to read

[gerhard]

That sounds like a great R&D project, I'm thinking longer-term. I bet @essen would be interested in eBPF too.

Short-term, we should definitely lean on Envoy/Istio & maybe HAproxy as a first step, then iterate towards eBPF.

[Gsantomaggio]

Can we agree on K8S as the baseline?
Ingress makes this much easier to capture, follow along & keep it relevant for longer-term.

I'd like to add that the standard k8s ingress supports only HTTP(s) so it is ok for management UI and not for the amqp.

It should be possible to use the SNI TLS extension to manage the traffic.

HAProxy, Traefik etc support TLS with SNI and also the strict sni policy

Here an example of amqps with SNI:

This is still work in progress btw!

[gerhard]

Looking great Gabriele, this will be a great TGIR 👍🏻

Would you find it useful to fork and start preparing the setup? I would recommend starting from the S01E07 branch (soon to be merged & deleted) so that we can hit the ground running 😉

[Gsantomaggio]

Ok, I did some test with Traefik using SNI and strict sni configuration, using a configuration like this:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: rabbitmq-big-ingress
spec:
  routes:
  - match: HostSNI(`rabbit.bigcluster`)
    services:
    - name: big-cluster
      port: 5671
  tls:
     passthrough: true
     secretName: tls-big-secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: rabbitmq-ingress
spec:
  routes:
  - match: HostSNI(`rabbit.cluster`)
    services:
    - name: cluster
      port: 5671
  tls:
     passthrough: true
     secretName: tls-secret

we can use the same IP address and handle different rabbitmq clusters.

We have to finish it and test it, for the moment the configuration it seems to work correctly

[gerhard]