Skip to content
Snippets Groups Projects
Verified Commit 692d89dc authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

docs: Add link to split-dns wikipedia entry

parent 93e0d703
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/src/concepts/ingress-termination.md
+ 2
2
View file @ 692d89dc
...@@ -4,7 +4,7 @@ The Shivering-Isles Infrastructure, given it's a local-first infrastructure has ...@@ -4,7 +4,7 @@ The Shivering-Isles Infrastructure, given it's a local-first infrastructure has
## TCP Forwarding ## TCP Forwarding
A intentional design decision was to avoid split DNS. Given that all DNS is hosted on Cloudflare with full DNSSEC integration, as well as running devices with active DoT always connecting external DNS Server, made split-DNS a bad implementation. A intentional design decision was to avoid [split DNS](https://en.wikipedia.org/w/index.php?title=Split-horizon_DNS&oldid=1154237143). Given that all DNS is hosted on Cloudflare with full DNSSEC integration, as well as running devices with active DoT always connecting external DNS Server, made split-DNS a bad implementation.
At the same time, a simple rerouting of all traffic to the external IP would also be problematic, as it would require either a dedicated IP address or complex source-based routing to only route traffic for client networks while allowing VPN traffic to continue to flow to the VPS. At the same time, a simple rerouting of all traffic to the external IP would also be problematic, as it would require either a dedicated IP address or complex source-based routing to only route traffic for client networks while allowing VPN traffic to continue to flow to the VPS.
...@@ -24,4 +24,4 @@ On the VPS, the TCP connection is handled by an HAProxy instance that speaks [pr ...@@ -24,4 +24,4 @@ On the VPS, the TCP connection is handled by an HAProxy instance that speaks [pr
On the Unifi Dream Machine it's a simple iptables rule, which redirects the traffic. In order to also use proxy-protocol with the ingress service, it's actually redirected to an HAProxy running in the Kubernetes cluster besides the ingress-nginx. This is mainly due to the limitation in ingress-nginx that doesn't allow mixed proxy-protocol and non-proxy-protocol ports without using custom configuration templates. On the Unifi Dream Machine it's a simple iptables rule, which redirects the traffic. In order to also use proxy-protocol with the ingress service, it's actually redirected to an HAProxy running in the Kubernetes cluster besides the ingress-nginx. This is mainly due to the limitation in ingress-nginx that doesn't allow mixed proxy-protocol and non-proxy-protocol ports without using custom configuration templates.
![Image of the flow of traffic for internal and external users within the cluster. For internal users, the traffic without proxy-protocol hits the haproxy-proxy-protocol Service in the Kubernetes cluster, which forwards it to the haproxy Pod. That Pod then sends the traffic, now with proxy-protocol, to the ingress-nginx-controller Service, which forwards it to the ingress-nginx-controller Pod. For external users, the traffic is directly routed to the ingress-nginx-conroller Service, since it's already with proxy-protocol. It's then also forwarded to the ingress-nginx-controller Pod.](images/ingress-termination-proxy-protocol.excalidraw.png) ![Image of the flow of traffic for internal and external users within the cluster. For internal users, the traffic without proxy-protocol hits the haproxy-proxy-protocol Service in the Kubernetes cluster, which forwards it to the haproxy Pod. That Pod then sends the traffic, now with proxy-protocol, to the ingress-nginx-controller Service, which forwards it to the ingress-nginx-controller Pod. For external users, the traffic is directly routed to the ingress-nginx-conroller Service, since it's already with proxy-protocol. It's then also forwarded to the ingress-nginx-controller Pod.](images/ingress-termination-proxy-protocol.excalidraw.png)
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment