9 posts in category networking

Istio vs. Linkerd: Service Mesh on Kubernetes
Comparing Istio 1.29 (sidecar mode) and Linkerd 2.19: data plane, mTLS, egress, resource overhead, observability, and when to use each.

Istio vs. Envoy Gateway: Gateway API on Kubernetes
Comparing Istio and Envoy Gateway as Gateway API implementations: mTLS, egress, Cilium, managed cloud specifics (AKS, GKE, OVH MKS), and real client IP.

Envoy Gateway v1.7: Global Rate Limiting with a Custom ratelimit Service
How to wire envoyproxy/ratelimit as a self-hosted service into Envoy Gateway v1.7 using EnvoyPatchPolicy — three xDS patches, namespace-admin self-service, and the pitfalls to avoid.

haproxy-spoe-rs: Deployment
Deploying the haproxy-spoe-rs SPOA agent in production — container image, podman-compose, Kubernetes, HAProxy configuration, health checking, logging, and systemd.

haproxy-spoe-rs: A Rust SPOA Agent Library for HAProxy
Building a HAProxy Stream Processing Offload Agent (SPOA) library in Rust — zero-dependency async design, mpsc write batching, 95.9% test coverage, and 2.8–4.9× higher throughput than the Go reference implementation.

Running pdns_recursor as a root-independent validating resolver
How to configure PowerDNS Recursor 5.4 to resolve directly against TLD name servers without depending on the root name servers at runtime, using a local root.zone file loaded via zonetocaches — including DNSSEC validation, trust anchor setup, and the race condition that prevents it from working without a hint file.

Running a validating DNS recursor from the root zone with Hickory DNS
How to run Hickory DNS as a full recursive resolver starting from the root zone, with DNSSEC validation, TLS-encrypted upstream connections, Happy Eyeballs, and Prometheus metrics — including all configuration options added in the recurser-from-root-zone branch.

tls-proxy-tunnel: Transparent TLS Tunnelling Through Corporate HTTP Proxies
How tls-proxy-tunnel (tpt) uses SNI peeking to tunnel TLS connections through corporate HTTP CONNECT proxies without ever terminating TLS — layer 4, zero config on the client side.

How does SNI Routing work in HAProxy
Learn how HAProxy container uses TLS Server Name Indication (SNI) to route encrypted TCP connections without decrypting them — enabling multiple services like Nextcloud and XMPP to share port 443.