A minimal HAProxy configuration to act as a frontend for a Radix DLT Node, specifically for the TCP gossip port. Pull requests are welcome.
The official Radix Node installation uses Nginx in front of the core Radix process to add various features such as password protection for admin endpoints. The default configuration provided for Nginx does add some basic rate limiting for HTTP endpoints but not much for the TCP gossip port. HAProxy has numerous options to deal with TCP connections and sessions so it can add flexibility and an additional layer of protection to the TCP gossip port. The configuration here is not intended as a fully fledged DDoS solution, it can however help with some service abuse scenarios.
The main configuration is here. The default figures will continue to be tweaked over time driven by feedback from other node runners.
The config directory also contains allow and deny IP lists, the former of which contains the official Radix seeds nodes. Add/remove from these lists depending on which nodes / systems you wish to trust.
The configuration loads some environment variables which you will need to specify in your setup. The docker-compose.yml file is a godo reference of the full list of variables used.
If you want to run this in production, please be advised that you should protect the stats port in your firewall setup. Although the configuration here does not enable admin mode on the stats dashboard and also password protects it, defense in depth should be your priority.
If you wish to add or update some of the rules in the configuration, check out the tcp-request sections of the documentation such as tcp-request connection plus the readme section below on local development.
At the moment there is no public published Docker image, let us know if that might be helpful.
You will need docker and docker-compose installed for local development. You may also wish to install parallel and nping for testing purposes.
Check out the Makefile for common commands including basic testing.