<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
    <channel>
      <title>Alek&#x27;s Blog - networking</title>
      <link>https://blog.none.at</link>
      <description>My Blog to share my knowledge</description>
      <generator>Zola</generator>
      <language>en</language>
      <atom:link href="https://blog.none.at/categories/networking/rss.xml" rel="self" type="application/rss+xml"/>
      <lastBuildDate>Thu, 25 Jun 2026 00:00:00 +0000</lastBuildDate>
      <item>
          <title>Istio vs. Linkerd: Service Mesh on Kubernetes</title>
          <pubDate>Tue, 12 May 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-05-12-istio-vs-linkerd/</link>
          <guid>https://blog.none.at/blog/2026/2026-05-12-istio-vs-linkerd/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-05-12-istio-vs-linkerd/">&lt;p&gt;Both &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;istio.io&quot;&gt;Istio&lt;&#x2F;a&gt; and &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;linkerd.io&quot;&gt;Linkerd&lt;&#x2F;a&gt; are CNCF Graduated service
meshes that provide automatic mTLS, traffic policy, and observability for Kubernetes
workloads. Both run in sidecar mode for this comparison — a proxy container injected into
every pod. The fundamental difference is the data plane: Istio uses
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;www.envoyproxy.io&quot;&gt;Envoy&lt;&#x2F;a&gt;, Linkerd uses its own Rust-based proxy
(&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;linkerd&#x2F;linkerd2-proxy&quot;&gt;&lt;code&gt;linkerd2-proxy&lt;&#x2F;code&gt;&lt;&#x2F;a&gt;). That choice drives the differences in overhead, extensibility, and egress
control.&lt;&#x2F;p&gt;
&lt;p&gt;This post compares them on the dimensions that matter for a production deployment. For the
broader question of Istio vs. Envoy Gateway (ingress-only), ambient mode, and managed cloud
specifics (AKS, GKE, OVH MKS), see the companion post
&lt;a href=&quot;&#x2F;blog&#x2F;2026&#x2F;2026-04-30-istio-vs-envoy-gateway&#x2F;&quot;&gt;Istio vs. Envoy Gateway: Gateway API on Kubernetes&lt;&#x2F;a&gt;.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>Istio vs. Envoy Gateway: Gateway API on Kubernetes</title>
          <pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/</link>
          <guid>https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/">&lt;p&gt;Both &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;istio.io&quot;&gt;Istio&lt;&#x2F;a&gt; and &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway.envoyproxy.io&quot;&gt;Envoy Gateway&lt;&#x2F;a&gt; implement the
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway-api.sigs.k8s.io&quot;&gt;Kubernetes Gateway API&lt;&#x2F;a&gt; and use Envoy as their data plane.
That is roughly where the similarity ends. Istio is a full service mesh that happens to
implement Gateway API; Envoy Gateway is a dedicated Gateway API controller with no mesh
ambitions. Choosing between them is mostly a question of scope.&lt;&#x2F;p&gt;
&lt;p&gt;This post starts with that comparison — architecture, mTLS, egress control, and resource
overhead — then broadens to cover &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;cilium.io&quot;&gt;Cilium&lt;&#x2F;a&gt; as a lighter alternative for
East-West security, how the choice plays out on managed Kubernetes offerings (AKS, GKE, and
OVH MKS including their cloud-native ingress and egress options), and finally how to get
the real client IP through a cloud load balancer to your application.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>Envoy Gateway v1.7: Global Rate Limiting with a Custom ratelimit Service</title>
          <pubDate>Sun, 19 Apr 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/</link>
          <guid>https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/">&lt;p&gt;Global rate limiting in &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway.envoyproxy.io&#x2F;&quot;&gt;Envoy Gateway (EG)&lt;&#x2F;a&gt; can be set up in two ways:
the easy path (EG manages its own &lt;code&gt;envoy-ratelimit&lt;&#x2F;code&gt; container) and the flexible path
(you bring your own &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;envoyproxy&#x2F;ratelimit&quot;&gt;envoyproxy&#x2F;ratelimit&lt;&#x2F;a&gt; service).
This post covers the flexible path — &lt;strong&gt;Option B&lt;&#x2F;strong&gt; — and documents the three xDS patches
required to wire it up, the EG v1.7 breaking changes that affect the approach,
and a namespace-admin self-service deployment model.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>haproxy-spoe-rs: Deployment</title>
          <pubDate>Sun, 12 Apr 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs-deployment/</link>
          <guid>https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs-deployment/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs-deployment/">&lt;p&gt;This post covers deploying the &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;git001&#x2F;haproxy-spoe-rs&quot;&gt;haproxy-spoe-rs&lt;&#x2F;a&gt;
SPOA agent in production. It is a companion to the
&lt;a href=&quot;&#x2F;blog&#x2F;2026&#x2F;2026-04-12-haproxy-spoa-rs&#x2F;&quot;&gt;architecture post&lt;&#x2F;a&gt; which explains the library design.&lt;&#x2F;p&gt;
&lt;p&gt;The agent and HAProxy run as &lt;strong&gt;separate services&lt;&#x2F;strong&gt; — HAProxy connects to the agent over TCP.
This keeps their lifecycles independent and allows scaling each side separately.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>haproxy-spoe-rs: A Rust SPOA Agent Library for HAProxy</title>
          <pubDate>Sun, 12 Apr 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs/</link>
          <guid>https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-04-12-haproxy-spoa-rs/">&lt;p&gt;&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;git001&#x2F;haproxy-spoe-rs&quot;&gt;haproxy-spoe-rs&lt;&#x2F;a&gt; is a Rust library for writing
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;haproxy&#x2F;haproxy&#x2F;blob&#x2F;master&#x2F;doc&#x2F;SPOE.txt&quot;&gt;HAProxy SPOE&lt;&#x2F;a&gt; agents. This post
covers what SPOE is, the design decisions behind the library, and how its throughput compares
to the Go reference implementation.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>Running pdns_recursor as a root-independent validating resolver</title>
          <pubDate>Mon, 06 Apr 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-04-05-pdns-recursor-root-resolver/</link>
          <guid>https://blog.none.at/blog/2026/2026-04-05-pdns-recursor-root-resolver/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-04-05-pdns-recursor-root-resolver/">&lt;p&gt;&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;doc.powerdns.com&#x2F;recursor&#x2F;&quot;&gt;PowerDNS Recursor&lt;&#x2F;a&gt; is a mature, production-grade recursive DNS resolver. This post documents how to configure it to bootstrap directly from a local &lt;code&gt;root.zone&lt;&#x2F;code&gt; file — so it never needs to reach the root name servers at runtime — with full DNSSEC validation producing the &lt;code&gt;ad&lt;&#x2F;code&gt; flag in responses.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>Running a validating DNS recursor from the root zone with Hickory DNS</title>
          <pubDate>Sat, 04 Apr 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-04-04-hickory-dns-root-resolver/</link>
          <guid>https://blog.none.at/blog/2026/2026-04-04-hickory-dns-root-resolver/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-04-04-hickory-dns-root-resolver/">&lt;p&gt;&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;hickory-dns&#x2F;hickory-dns&quot;&gt;Hickory DNS&lt;&#x2F;a&gt; is a Rust-based DNS implementation that covers the full stack: resolver, recursor, authoritative server, and DNSSEC. This post documents how to run it as a &lt;strong&gt;full recursive resolver&lt;&#x2F;strong&gt; — starting directly from the root zone, with DNSSEC validation and encrypted upstream transport — based on the changes developed in the &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;git001&#x2F;hickory-dns&#x2F;tree&#x2F;recurser-from-root-zone&quot;&gt;&lt;code&gt;recurser-from-root-zone&lt;&#x2F;code&gt;&lt;&#x2F;a&gt; branch.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>tls-proxy-tunnel: Transparent TLS Tunnelling Through Corporate HTTP Proxies</title>
          <pubDate>Tue, 02 Jul 2024 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2024/2024-07-02-tls-proxy-tunnel/</link>
          <guid>https://blog.none.at/blog/2024/2024-07-02-tls-proxy-tunnel/</guid>
          <description xml:base="https://blog.none.at/blog/2024/2024-07-02-tls-proxy-tunnel/">&lt;p&gt;Many enterprise networks sit behind a corporate HTTP CONNECT proxy. Applications
that speak TLS natively — think &lt;code&gt;git&lt;&#x2F;code&gt;, &lt;code&gt;curl&lt;&#x2F;code&gt;, SSH-over-HTTPS, or any custom
binary — often have no built-in proxy support. Configuring every single tool is
tedious, fragile, and sometimes impossible when you don’t control the binary.&lt;&#x2F;p&gt;
&lt;p&gt;&lt;code&gt;tls-proxy-tunnel&lt;&#x2F;code&gt; (&lt;code&gt;tpt&lt;&#x2F;code&gt;) solves this at layer 4: it sits between your
application and the outside world, intercepts the TLS connection, extracts the
Server Name Indication (SNI) from the ClientHello, and tunnels the raw bytes
through your corporate HTTP CONNECT proxy — without ever terminating TLS.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>How does SNI Routing work in HAProxy</title>
          <pubDate>Fri, 17 May 2019 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2019/2019-05-17-haproxy-sni-routing/</link>
          <guid>https://blog.none.at/blog/2019/2019-05-17-haproxy-sni-routing/</guid>
          <description xml:base="https://blog.none.at/blog/2019/2019-05-17-haproxy-sni-routing/">&lt;p&gt;As I travel a lot I faced the problem that in some Wi-Fi networks certain ports are blocked for outgoing communication 😱. The solution is to use software that can handle TCP and HTTP via port &lt;strong&gt;443&lt;&#x2F;strong&gt; so that I can use my Nextcloud and my XMPP client on the same port.&lt;&#x2F;p&gt;</description>
      </item>
    </channel>
</rss>
