Enforce security to prevent churn and connection exhausting

Question

Enforce security to prevent churn and connection exhausting

Opened this issue 4 years ago · 13 comments

stefano-vardanega commented 4 years ago

HAProxy, load balancer, socket tuning ?

Answer 1 · 2020-10-26T16:23:57.000Z

This is a good one! 2 questions:

Can we agree on K8S as the baseline?
Ingress makes this much easier to capture, follow along & keep it relevant for longer-term.
Any specific K8S that you would consider using for RabbitMQ?
Apparently there are 168+ to choose from 🤯
We have covered GKE & DKE already, but LKE & SKE are equally easy.

Answer 2 · 2020-10-26T17:57:25.000Z

Yeah, great. Go for k8s.
I personally use Digital Ocean k8s to publish an MQTTS on 8883, but without ingress. So I'm greatly interested in DO ;).

Answer 3 · 2020-10-26T18:35:31.000Z

Perfect, Digital Ocean Kubernetes Engine it is.

I feel that this Twitter thread with @evoxmusic is also related. Do those problems resonate with you @stefano-vardanega?

Answer 4 · 2020-10-26T19:19:39.000Z

Good 👍
That's exactly my current concerns!

Answer 5 · 2020-10-26T19:54:32.000Z

Feel free to share your thoughts on the above @Gsantomaggio 😉

Answer 6 · 2020-10-26T21:23:27.000Z

Oh ! that's an interesting topic.

There is also Istio Traffic Management, here an example with RabbitMQ.

The same with HA-Proxy, we can also play with the TCP Backlog queues and TIME_WAIT.

Answer 7 · 2020-10-26T22:00:26.000Z

Istio will be a good one to start with, but I expect performance to become an issue soon. Let's measure and see if HAproxy is as good as it claims.

Answer 8 · 2020-10-27T16:42:12.000Z

Just a thought ...
Would be interesting to try to implement an XDP_DROP

It would drop / avoid ddos attach or not valid connections

interesting post to read

Answer 9 · 2020-10-27T17:18:53.000Z

That sounds like a great R&D project, I'm thinking longer-term. I bet @essen would be interested in eBPF too.

Short-term, we should definitely lean on Envoy/Istio & maybe HAproxy as a first step, then iterate towards eBPF.

Answer 10 · 2020-11-09T21:27:33.000Z

Can we agree on K8S as the baseline?
Ingress makes this much easier to capture, follow along & keep it relevant for longer-term.

I'd like to add that the standard k8s ingress supports only HTTP(s) so it is ok for management UI and not for the amqp.

It should be possible to use the SNI TLS extension to manage the traffic.

HAProxy, Traefik etc support TLS with SNI and also the strict sni policy

Here an example of amqps with SNI:

This is still work in progress btw!

Answer 11 · 2020-11-09T22:44:32.000Z

Looking great Gabriele, this will be a great TGIR 👍🏻

Would you find it useful to fork and start preparing the setup? I would recommend starting from the S01E07 branch (soon to be merged & deleted) so that we can hit the ground running 😉

Answer 12 · 2020-11-11T11:42:34.000Z

Ok, I did some test with Traefik using SNI and strict sni configuration, using a configuration like this:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: rabbitmq-big-ingress
spec:
  routes:
  - match: HostSNI(`rabbit.bigcluster`)
    services:
    - name: big-cluster
      port: 5671
  tls:
     passthrough: true
     secretName: tls-big-secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: rabbitmq-ingress
spec:
  routes:
  - match: HostSNI(`rabbit.cluster`)
    services:
    - name: cluster
      port: 5671
  tls:
     passthrough: true
     secretName: tls-secret

we can use the same IP address and handle different rabbitmq clusters.

We have to finish it and test it, for the moment the configuration it seems to work correctly

Answer 13 · 2020-12-31T16:06:31.000Z

gerhard commented 4 years ago

😄1