<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
    <title>Alek&#x27;s Blog - networking</title>
    <subtitle>My Blog to share my knowledge</subtitle>
    <link rel="self" type="application/atom+xml" href="https://blog.none.at/categories/networking/atom.xml"/>
    <link rel="alternate" type="text/html" href="https://blog.none.at"/>
    <generator uri="https://www.getzola.org/">Zola</generator>
    <updated>2026-06-25T00:00:00+00:00</updated>
    <id>https://blog.none.at/categories/networking/atom.xml</id>
    <entry xml:lang="en">
        <title>Istio vs. Linkerd: Service Mesh on Kubernetes</title>
        <published>2026-05-12T00:00:00+00:00</published>
        <updated>2026-05-12T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-05-12-istio-vs-linkerd/"/>
        <id>https://blog.none.at/blog/2026/2026-05-12-istio-vs-linkerd/</id>
        
        <summary type="html">&lt;p&gt;Both &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;istio.io&quot;&gt;Istio&lt;&#x2F;a&gt; and &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;linkerd.io&quot;&gt;Linkerd&lt;&#x2F;a&gt; are CNCF Graduated service
meshes that provide automatic mTLS, traffic policy, and observability for Kubernetes
workloads. Both run in sidecar mode for this comparison — a proxy container injected into
every pod. The fundamental difference is the data plane: Istio uses
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;www.envoyproxy.io&quot;&gt;Envoy&lt;&#x2F;a&gt;, Linkerd uses its own Rust-based proxy
(&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;linkerd&#x2F;linkerd2-proxy&quot;&gt;&lt;code&gt;linkerd2-proxy&lt;&#x2F;code&gt;&lt;&#x2F;a&gt;). That choice drives the differences in overhead, extensibility, and egress
control.&lt;&#x2F;p&gt;
&lt;p&gt;This post compares them on the dimensions that matter for a production deployment. For the
broader question of Istio vs. Envoy Gateway (ingress-only), ambient mode, and managed cloud
specifics (AKS, GKE, OVH MKS), see the companion post
&lt;a href=&quot;&#x2F;blog&#x2F;2026&#x2F;2026-04-30-istio-vs-envoy-gateway&#x2F;&quot;&gt;Istio vs. Envoy Gateway: Gateway API on Kubernetes&lt;&#x2F;a&gt;.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>Istio vs. Envoy Gateway: Gateway API on Kubernetes</title>
        <published>2026-04-30T00:00:00+00:00</published>
        <updated>2026-06-25T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/"/>
        <id>https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/</id>
        
        <summary type="html">&lt;p&gt;Both &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;istio.io&quot;&gt;Istio&lt;&#x2F;a&gt; and &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway.envoyproxy.io&quot;&gt;Envoy Gateway&lt;&#x2F;a&gt; implement the
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway-api.sigs.k8s.io&quot;&gt;Kubernetes Gateway API&lt;&#x2F;a&gt; and use Envoy as their data plane.
That is roughly where the similarity ends. Istio is a full service mesh that happens to
implement Gateway API; Envoy Gateway is a dedicated Gateway API controller with no mesh
ambitions. Choosing between them is mostly a question of scope.&lt;&#x2F;p&gt;
&lt;p&gt;This post starts with that comparison — architecture, mTLS, egress control, and resource
overhead — then broadens to cover &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;cilium.io&quot;&gt;Cilium&lt;&#x2F;a&gt; as a lighter alternative for
East-West security, how the choice plays out on managed Kubernetes offerings (AKS, GKE, and
OVH MKS including their cloud-native ingress and egress options), and finally how to get
the real client IP through a cloud load balancer to your application.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>Envoy Gateway v1.7: Global Rate Limiting with a Custom ratelimit Service</title>
        <published>2026-04-19T00:00:00+00:00</published>
        <updated>2026-04-19T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/"/>
        <id>https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/</id>
        
        <summary type="html">&lt;p&gt;Global rate limiting in &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway.envoyproxy.io&#x2F;&quot;&gt;Envoy Gateway (EG)&lt;&#x2F;a&gt; can be set up in two ways:
the easy path (EG manages its own &lt;code&gt;envoy-ratelimit&lt;&#x2F;code&gt; container) and the flexible path
(you bring your own &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;envoyproxy&#x2F;ratelimit&quot;&gt;envoyproxy&#x2F;ratelimit&lt;&#x2F;a&gt; service).
This post covers the flexible path — &lt;strong&gt;Option B&lt;&#x2F;strong&gt; — and documents the three xDS patches
required to wire it up, the EG v1.7 breaking changes that affect the approach,
and a namespace-admin self-service deployment model.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>haproxy-spoe-rs: Deployment</title>
        <published>2026-04-12T00:00:00+00:00</published>
        <updated>2026-04-12T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs-deployment/"/>
        <id>https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs-deployment/</id>
        
        <summary type="html">&lt;p&gt;This post covers deploying the &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;git001&#x2F;haproxy-spoe-rs&quot;&gt;haproxy-spoe-rs&lt;&#x2F;a&gt;
SPOA agent in production. It is a companion to the
&lt;a href=&quot;&#x2F;blog&#x2F;2026&#x2F;2026-04-12-haproxy-spoa-rs&#x2F;&quot;&gt;architecture post&lt;&#x2F;a&gt; which explains the library design.&lt;&#x2F;p&gt;
&lt;p&gt;The agent and HAProxy run as &lt;strong&gt;separate services&lt;&#x2F;strong&gt; — HAProxy connects to the agent over TCP.
This keeps their lifecycles independent and allows scaling each side separately.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>haproxy-spoe-rs: A Rust SPOA Agent Library for HAProxy</title>
        <published>2026-04-12T00:00:00+00:00</published>
        <updated>2026-04-12T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs/"/>
        <id>https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs/</id>
        
        <summary type="html">&lt;p&gt;&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;git001&#x2F;haproxy-spoe-rs&quot;&gt;haproxy-spoe-rs&lt;&#x2F;a&gt; is a Rust library for writing
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;haproxy&#x2F;haproxy&#x2F;blob&#x2F;master&#x2F;doc&#x2F;SPOE.txt&quot;&gt;HAProxy SPOE&lt;&#x2F;a&gt; agents. This post
covers what SPOE is, the design decisions behind the library, and how its throughput compares
to the Go reference implementation.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>Running pdns_recursor as a root-independent validating resolver</title>
        <published>2026-04-06T00:00:00+00:00</published>
        <updated>2026-04-06T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-04-05-pdns-recursor-root-resolver/"/>
        <id>https://blog.none.at/blog/2026/2026-04-05-pdns-recursor-root-resolver/</id>
        
        <summary type="html">&lt;p&gt;&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;doc.powerdns.com&#x2F;recursor&#x2F;&quot;&gt;PowerDNS Recursor&lt;&#x2F;a&gt; is a mature, production-grade recursive DNS resolver. This post documents how to configure it to bootstrap directly from a local &lt;code&gt;root.zone&lt;&#x2F;code&gt; file — so it never needs to reach the root name servers at runtime — with full DNSSEC validation producing the &lt;code&gt;ad&lt;&#x2F;code&gt; flag in responses.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>Running a validating DNS recursor from the root zone with Hickory DNS</title>
        <published>2026-04-04T00:00:00+00:00</published>
        <updated>2026-04-05T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-04-04-hickory-dns-root-resolver/"/>
        <id>https://blog.none.at/blog/2026/2026-04-04-hickory-dns-root-resolver/</id>
        
        <summary type="html">&lt;p&gt;&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;hickory-dns&#x2F;hickory-dns&quot;&gt;Hickory DNS&lt;&#x2F;a&gt; is a Rust-based DNS implementation that covers the full stack: resolver, recursor, authoritative server, and DNSSEC. This post documents how to run it as a &lt;strong&gt;full recursive resolver&lt;&#x2F;strong&gt; — starting directly from the root zone, with DNSSEC validation and encrypted upstream transport — based on the changes developed in the &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;git001&#x2F;hickory-dns&#x2F;tree&#x2F;recurser-from-root-zone&quot;&gt;&lt;code&gt;recurser-from-root-zone&lt;&#x2F;code&gt;&lt;&#x2F;a&gt; branch.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>tls-proxy-tunnel: Transparent TLS Tunnelling Through Corporate HTTP Proxies</title>
        <published>2024-07-02T00:00:00+00:00</published>
        <updated>2026-01-22T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2024/2024-07-02-tls-proxy-tunnel/"/>
        <id>https://blog.none.at/blog/2024/2024-07-02-tls-proxy-tunnel/</id>
        
        <summary type="html">&lt;p&gt;Many enterprise networks sit behind a corporate HTTP CONNECT proxy. Applications
that speak TLS natively — think &lt;code&gt;git&lt;&#x2F;code&gt;, &lt;code&gt;curl&lt;&#x2F;code&gt;, SSH-over-HTTPS, or any custom
binary — often have no built-in proxy support. Configuring every single tool is
tedious, fragile, and sometimes impossible when you don’t control the binary.&lt;&#x2F;p&gt;
&lt;p&gt;&lt;code&gt;tls-proxy-tunnel&lt;&#x2F;code&gt; (&lt;code&gt;tpt&lt;&#x2F;code&gt;) solves this at layer 4: it sits between your
application and the outside world, intercepts the TLS connection, extracts the
Server Name Indication (SNI) from the ClientHello, and tunnels the raw bytes
through your corporate HTTP CONNECT proxy — without ever terminating TLS.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>How does SNI Routing work in HAProxy</title>
        <published>2019-05-17T00:00:00+00:00</published>
        <updated>2026-03-16T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2019/2019-05-17-haproxy-sni-routing/"/>
        <id>https://blog.none.at/blog/2019/2019-05-17-haproxy-sni-routing/</id>
        
        <summary type="html">&lt;p&gt;As I travel a lot I faced the problem that in some Wi-Fi networks certain ports are blocked for outgoing communication 😱. The solution is to use software that can handle TCP and HTTP via port &lt;strong&gt;443&lt;&#x2F;strong&gt; so that I can use my Nextcloud and my XMPP client on the same port.&lt;&#x2F;p&gt;</summary>
        
    </entry>
</feed>
