I am study istio recently.
In istio, the inbound and outbound traffic from and to a pod was redirected
to envoy by iptables。thus, One request(or invoke) was proxied twice.
I found that the inbound traffic always consume the service in current pod.
in the other word, the inbound traffic may not to be redirected to other pod again, it is neccesary to proxy the inbound traffic?
If remove the rule for redirect the inbound traffic, does it work?
or which function will be loss?
Mixer is called by the inbound proxy, so if you bypass the Istio sidecar on inbound traffic you will lose the functions that Mixer implements: logging and checking such as ratelimits, auth, etc. Only routing is done on the outbound proxy.
Related
according to official docs - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
only inbound TCP rule have to be added to sec group.
but how does the response come out? what protocol and port the response comes out back when i type my commands in cli terminal?
or i need only 1 inbound rule to simply ESTABLISH connection and it works both ways - it sends and receives request, response thru ssh thru this 1 inbound rule?
Security Groups are stateful. They track the originating request and automatically allow responses. Per the official documentation:
Security groups are stateful—if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. For more information, see Security group connection tracking.
I am kinda new to Operations. We are currently able to log outgoing TCP connections initiated by Lambda functions passing through a NAT Gateway. However, we require to be able to log outbound HTTP traffic as well. Since, according to my understanding, both the NAT gateway and Network Firewall are layer 4 devices I believe there’s no way they can help us log Layer 7 traffic.
What is the recommended way to log outgoing HTTP traffic passing through a NAT gateway?
I am aware that Azure application gateway supports websockets. However, I cant figure out from the samples and documentation how websocket access is reflected in the Access Logs.
I have been going over Azure gateway documentation for Access logs over here
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics#for-application-gateway-and-waf-v2-sku
There is no protocol field - which usually carry ws or wss to indicate websocket access.
Thanks for help in advance
There is no user-configurable setting to selectively enable or disable WebSocket support in Application gateway. WebSocket protocols are designed to work over traditional HTTP ports of 80 and 443. You can continue using a standard HTTP listener on port 80 or 443 to receive WebSocket traffic. WebSocket traffic is then directed to the WebSocket enabled backend server using the appropriate backend pool as specified in application gateway rules.
Here is a clear documentation explaining about Websocket workflow in Application Gateway.
I need to put a web proxy in place to log user activity at work after a recent incident. My first thought was Squid proxy but after some research it seems that https requests are a total nightmare. These days more sites are https than http so I need to log both. Can anyone recommend a proxy server or otherwise to pass all http and https requests through to log?
Thanks
Squid can very well handle HTTP as well ass HTTPS traffic. How you should configure squid depends how you want the configure clients (I mean browser).
In general Squid proxy server can be configured to listen for both HTTP and HTTPS traffic on specific port (by default 3128) for squid and clients can be configured manually or using DHCP Option 252 + WPAD (Web Proxy Auto-Discovery Protocol).
Alternately Squid can be configured in transparent mode intercepting the traffic on your network, in this case Squid will listen on different ports for HTTP and HTTPS traffic.
Shahnawaz
I'm running a kubernetes application on GKE, which serves HTTP requests on port 80 and websocket on port 8080.
Now, HTTP part needs to know client's IP address, so I have to use HTTP load balancer as ingress service. Websocket part then has to use TCP load balancer, as it's clearly stated in docs that HTTP LB doesn't support it.
I got them both working, but on different IPs, and I need to have them on one.
I would expect that there is something like iptables on GCE, so I could forward traffic from port 80 to HTTP LB, and from 8080 to TCP LB, but I can't find anything like that. Anything including forwarding allows only one them.
I guess I could have one instance with nginx/HAproxy doing only this, but that seems like an overkill
Appreciate any help!
There's not a great answer to this right now. Ingress objects are really HTTP only right now, and we don't really support multiple grades of ingress in a single cluster (though we want to).
GCE's HTTP LB doesn't do websockets yet.
Services have a flaw in that they lose the client IP (we are working on that). Even once we solve this, you won't be able to use GCE's L7 balancer because of the extra port you need.
The best workaround I can think of, and has been used by a number of users until we preserve source IP, is this:
Run your own haproxy or nginx or even your own app as a Daemonset on some or all nodes (label controlled) with HostPorts.
Run a GCE Network LB (outside of Kubernetes) pointing at the nodes with HostPorts.
Once we can properly preserve external IPs, you can turn this back into a plain Service.