From the documentation of haproxy, it says that it has ddos protection.
Can anybody explain how it works ? It is enabled out of the box, or you need to configure it? I did not find much in the documentation.
Haproxy docs doesn't explain you how to enable DDOS protection, because there is no 'ON/OFF' switch for this. Instead, Haproxy provided with tool-set to configure list of filtering rules. Here is a blog entry explains common DDOS mitigation patterns http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
Related
I plan to use Keycloak as our primary login app, but before i move forward with deployment, i need to address one concern. The issue arose when i enabled mod-security on the Apache server. This resulted in several Keycloak screens and operations becoming blocked, including the ability to update the theme. if i disable the mod-security everything works fine
am i doing anything wrong or am i miss some kind of setting for mod-security in keycloak
kindly suggest some solution
I try to disable few rules, but there are too many and also for disabling rule, i need to provide some proper reason to do so.
OWASP ModSecurity Core Rule Set Dev on Duty here. Are you using the Core Rule Set (CRS)? Are those the rules you are having trouble with, or are you using some other rule set? Please confirm.
Assuming you are using CRS, have you tuned your WAF installation for your web application (Keycloak)? Tuning is a required step before CRS can be properly and correctly used in front of a web application. This is especially true if using a higher paranoia level, i.e. paranoia level 2 and above.
There are some great guides and documentation available online which cover the tuning process. The CRS false positives and tuning documentation is very good. There is also a popular series of tutorials on netnea.com which cover every step from the very beginning: compiling the ModSecurity WAF engine, installing CRS, tuning by writing rule exclusions, and more.
I have a long time setup which is capturing and decrypting HTTPS using Fiddler Proxy, I use my jailbroken phone so I can go around certificate pinning also and run it thru this proxy to capture traffic and analyze request/responses for different apps. I love Fiddler because it allows me to modify content on the fly at will to find issues. Today I ran into an app that is not behaving nicely and after some hours of research it seems my issue is because the app is using HTTP/3 and I haven't been able to make it work. Am I just barking at the wrong tree here? Is it even possible to capture such traffic with Fiddler Proxy? any alternatives with same like features that I could use? I'm not expert on protocols and certificates, etc. so please bear with me on the question :-). Thanks to any gurus out there that can help!
No, it's not possible.
As of right now, AFAIK there are no HTTP debugging proxies that support HTTP/3. For Fiddler specifically, they only shipped HTTP/2 support a few months ago (Jan 2022, 7 years after HTTP/2 was standardized) and only in Fiddler Everywhere. There's no mention of any timeline for shipping it in Fiddler Classic I can see, maybe never.
I can't speak for the Fiddler team's reasons, but I also maintain a debugging proxy and the general problem is that most languages don't yet have stable libraries available to easily handle HTTP/3, which makes it very difficult to support. There's some background on the causes of this here: https://daniel.haxx.se/blog/2021/10/25/the-quic-api-openssl-will-not-provide/. There are some experimental implementations available now, but in most cases nothing that's easy to integrate and reliable, unlike HTTP and HTTP/2 (normally provided as part of programming languages' core libraries, often with many battle-tested userspace implementations available too).
From the HTTP/2 approach, I would guess that HTTP/3 support in Fiddler is a couple of years away at least and will only be coming to Fiddler Everywhere, not to Fiddler Classic (but I don't know for sure - you'd have to ask them).
In the meantime, the best workaround available is to block HTTP/3 traffic entirely. Well-behaved clients should fallback to HTTP/1 or 2 automatically. Blocking all UDP packets on port 443 using a firewall will generally be sufficient (it can be used on other ports, but I've never seen it in practice).
I’m looking for ways to maintain high availability in the case that one of the policy pods is unavailable and found the following information on the official website:
https://istio.io/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/#NetworkFailPolicy
But I did not find any additional information on how to apply these rules in my deployment. Can someone help me with this and tell me how to change these values?
What you´re looking for can be found here, in the istio documentation Destination Rules
Specifically check this link
This istio blog about Using Network Policy with Istio redirects us to Calico documentation.
Network Policy is universal, highly efficient, and isolated from the pods, making it ideal for applying policy in support of network security goals. Furthermore, having policy that operates at different layers of the network stack is a really good thing as it gives each layer specific context without commingling of state and allows separation of responsibility.
This post is based on the three part blog series by Spike Curtis, one of the Istio team members at Tigera. The full series can be found here: https://www.projectcalico.org/using-network-policy-in-concert-with-istio/
Additional links which could be useful:
Calico Network Policy
Kubernetes Network Policy
I’m wondering if it’s possible to setup Keycloak In High-Availability. If yes could you give some advices ?
Yes it`s possible
Have you considered to check Keycloak documentation regarding this topic?
https://www.keycloak.org/docs/latest/server_installation/index.html#_clustering
https://www.keycloak.org/docs/latest/server_installation/#_operating-mode (e.g. Standalone Clustered Mode)
If you need additional help, please add more information to your question. But it would be nice if you read the documentation first :-)
So I work behind a corporate network and, at the moment, VSCode's extension search feature doesn't work because it's blocked by our proxy. I'm in the middle of working with our network guys to get it whitelisted and had a question regarding the hostnames listed in their documentation page.
Namely, what each of the hostnames they tell you to whitelist does/which features need said hostname. Some of them are fairly self explanatory based on the name, but others are less clear. For convenience, here's the list of URLs along with a guess for their purpose:
VSCode Proxy URLs
I tried asking on the /r/vscode subreddit, but got no bites there. Since the GitHub issue tracker isn't for questions, I'm asking here.