Customize Caddy’s plugins with Nix

Caddy is an open-source web server written in Go. It handles TLS certificates automatically and comes with a simple configuration syntax. Users can extend its functionality through plugins¹ to add features like rate limiting, caching, and Docker integration.

While Caddy is available in Nixpkgs, adding extra plugins is not simple.² The compilation process needs Internet access, which Nix denies during build to ensure reproducibility. When trying to build the following derivation using xcaddy, a tool for building Caddy with plugins, it fails with this error: dial tcp: lookup proxy.golang.org on [::1]:53: connection refused.

{ pkgs }:
pkgs.stdenv.mkDerivation {
  name = "caddy-with-xcaddy";
  nativeBuildInputs = with pkgs; [ go xcaddy cacert ];
  unpackPhase = "true";
  buildPhase =
    ''
      xcaddy build --with github.com/caddy-dns/[email protected]
    '';
  installPhase = ''
    mkdir -p $out/bin
    cp caddy $out/bin
  '';
}

Fixed-output derivations are an exception to this rule and get network access during build. They need to specify their output hash. For example, the fetchurl function produces a fixed-output derivation:

{ stdenv, fetchurl }:
stdenv.mkDerivation rec {
  pname = "hello";
  version = "2.12.1";
  src  Continue reading

How We Measure: ISP User Counts

From Python To Go 002. Basic Data Types (Numeric, Boolean, String) and Variables.

Hello my friend,

We continue our blog series about learning Go (Golang) as second programming language, which you can use for network and IT infrastructure automation. Today we’ll talk about the basic data types and variables both in Python and Go

How To Start Automating?

Any programming language, whether it is Python or Go (Golang), is a tool to implement your business logic. Whilst it is very important to be experienced with the tool, it is important also to understand the wide context of network automation, and this is where our trainings will kick start you:

We offer the following training programs in network automation for you:

• Zero-to-Hero Network Automation Training
• High-scale automation with Nornir
• Ansible Automation Orchestration with Ansble Tower / AWX
• Expert-level training: Closed-loop Automation and Next-generation Monitoring

During these trainings you will learn the following topics:

• Success and failure strategies to build the automation tools.
• Principles of software developments and the most useful and convenient tools.
• Data encoding (free-text, XML, JSON, YAML, Protobuf).
• Model-driven network automation with YANG, NETCONF, RESTCONF, GNMI.
• Full configuration templating with Jinja2 based on the source of truth (NetBox).
• Best programming languages (Python, Bash) for developing automation
• The most rock-solid and Continue reading

Weekend Reads 110924

Toward the end of August 2024, a customized malware dubbed “Voldemort” based on strings found in its code was used in a cyber espionage campaign targeting various countries.

Until 2019, it was a Google partner running full Android. Then it forked its own version of Android, called it HarmonyOS, stopped including Google proprietary apps, and set up its own Android app store.

As previously discussed in this post, Xiong’an New Area (Xiong’an), a pilot city established in 2017 about 100 kilometres west of Beijing, aims to be a model for future digital cities, built with IPv6-only infrastructure from the start.

A little over three dozen security vulnerabilities have been disclosed in various open-source artificial intelligence (AI) and machine learning (ML) models, some of which could lead to remote code execution and information theft.

Today, we’re excited to announce the launch of Kentik’s Cloud Latency Map, a public service that uses Kentik Synthetics to continuously measure latency between the regions of the biggest cloud providers.

Data can undergo a similar transformation—two pieces of data, linked, such that changing one has an impact on the other. Think of this as “spooky data at a distance.”

In this work, we aim to Continue reading

The Back End AI Network Puts Pressure On The Front End

For most of the history of high performance computing, a supercomputer was a freestanding, isolated machine that was designed to run some simulation or model and the only link it needed to the outside world was a relatively small one to show some visualization. …

The Back End AI Network Puts Pressure On The Front End was written by Timothy Prickett Morgan at The Next Platform.

HN757: Building a DIY SD-WAN to Serve (Very) Remote Customers

How we prevent conflicts in authoritative DNS configuration using formal verification

Over the last year, Cloudflare has begun formally verifying the correctness of our internal DNS addressing behavior — the logic that determines which IP address a DNS query receives when it hits our authoritative nameserver. This means that for every possible DNS query for a proxied domain we could receive, we try to mathematically prove properties about our DNS addressing behavior, even when different systems (owned by different teams) at Cloudflare have contradictory views on which IP addresses should be returned.

To achieve this, we formally verify the programs — written in a custom Lisp-like programming language — that our nameserver executes when it receives a DNS query. These programs determine which IP addresses to return. Whenever an engineer changes one of these programs, we run all the programs through our custom model checker (written in Racket + Rosette) to check for certain bugs (e.g., one program overshadowing another) before the programs are deployed.

Our formal verifier runs in production today, and is part of a larger addressing system called Topaz. In fact, it’s likely you’ve made a DNS query today that triggered a formally verified Topaz program.

This post is a technical description of how Continue reading

Latency Numbers Every Programmer Should Know

One of the key arguments against stretched clusters (and similar stupidities) I used in my Disaster Recovery Myths presentation was the SSD read latency versus cross-site round-trip time.

Thanks to Networking Notes, I found a great infographic I can use in my next presentation (bonus points: it also works great in a terminal when fetched with curl) and a site that checks the latency of your web site from various vantage points.

TL007: Hot Takes on Technical Leadership

Juniper EX Switch Port Mirroring

In this blog post, we will look at how to set up port mirroring on Juniper EX switches. The goal is to mirror all the traffic coming in and going out of one switch port to another port. By doing this, we can connect a laptop to the mirrored port and capture all the traffic. This is particularly useful when you can't directly capture traffic from a device, such as a CCTV camera, TV, or other similar devices. Let's get started.

In this example, we have a database server connected to port ge-1/0/1, and we want to mirror all traffic going in and out of this port to port ge-1/0/4, where our laptop is connected. With this setup, we can use Wireshark on the laptop to capture the mirrored traffic.

configure
edit forwarding-options
edit analyzer my_capture

set input ingress interface ge-1/0/1
set input egress interface ge-1/0/1
set output interface ge-1/0/4

commit

The ingress and egress parts of the configuration refer to the traffic coming into the port (ingress) and leaving the port (egress). Ideally, we want to capture traffic in both directions, but you have the option to mirror traffic in only one direction if needed.

If you Continue reading

Cisco Puts Big AI Infrastructure Into Small Packages

Generative AI is still very much an emerging technology and it’s morphing and evolving rapidly, as is illustrated with the trend toward agentic AI, which we’ve written about previously. …

Cisco Puts Big AI Infrastructure Into Small Packages was written by Jeffrey Burt at The Next Platform.

N4N002: Bandwidth and Latency Explained

Stop Bottlenecking Your AI: Storage Hacks for Hungry GPUs

COMMISSIONED  In the fast-paced world of AI, GPUs are often hailed as the quiet powerhouse driving innovation. …

Stop Bottlenecking Your AI: Storage Hacks for Hungry GPUs was written by Timothy Prickett Morgan at The Next Platform.

A look at the latest post-quantum signature standardization candidates

On October 24, 2024, the National Institute of Standards and Technology (NIST) announced that they’re advancing fourteen post-quantum signature schemes to the second round of the “signatures on ramp” competition. “Post-quantum” means that these algorithms are designed to resist the attack of quantum computers. NIST already standardized four post-quantum signature schemes (ML-DSA, SLH-DSA, XMSS, and LHS) and they are drafting a standard for a fifth (Falcon). Why do we need even more, you might ask? We’ll get to that.

A regular reader of the blog will know that this is not the first time we’ve taken measure of post-quantum signatures. In 2021 we took a first hard look, and reported on the performance impact we expect from large-scale measurements.  Since then, dozens of new post-quantum algorithms have been proposed. Many of them have been submitted to this new NIST competition. We discussed some of the more promising ones in our early 2024 blog post.

In this blog post, we will go over the fourteen schemes advanced to the second round of the on ramp and discuss their feasibility for use in TLS — the protocol that secures browsing the Internet. The defining Continue reading

Leveraging GPO to Distribute User- and Computer Certificate

The use of Group Policy Objects (GPO) can be really powerful in a Windows environment. In this post we’re going to leverage GPO to distribute certificates to the user and computer as well as enabling the 802.1X supplicant.

First, let’s see if there are any certificates on the Windows 10 VM in my lab:

Currently, there are no certificates present on the VM. It has also not been joined to the domain.

First, open the GPO app:

There’s a default domain policy that can be used, but I’m going to create new policies, one for users, and one for computers. First, let’s create a policy for computers. I’m going to right click my computer OU, named iselab computers, and then select Create a GPO in this domain, and Link it here…:

Give the GPO a name:

The GPO has been created:

Right click the GPO and select Edit…:

The GPO Editor window opens:

Then we’re going to navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies and select Certificate Services Client – Auto Enrollment and then Properties:

A new window opens up:

Change the Configuration Model to Enabled and Continue reading

Understanding BGP – Establishing peering

After some reflection I’ve realized that while I’ve spent a lot of time talking about BGP in it’s many forms I haven’t really ever done a deep dive on it. To be clear – Im not aiming to talk about how to configure BGP , or how path selection works, or even how to troubleshoot BGP. What I want to examine is what BGP is doing on the wire. How it communicates with peers, when it sends updates, and what kind of things are in the updates. Im hoping to write several blogs starting with the basics and then diving deeper as we go. That said, let’s get started!

To start things out with – I think it makes sense to start with a simple lab consisting of two BGP nodes that are peering together. Something like this…

I don’t want to spend a lot of time focusing on the configuration syntax and basic configuration parameters so let’s just run BIRD on both of the nodes so we can get off the ground with minimal effort. Let’s assume that both BGP Peers shown above are just normal Ubuntu VMs and both have a single interface on common 169.254.10. Continue reading

NAN078: The Evolution of Ostinato: From Open Source to a Sustainable Business

We Can’t Get Enough HBM, Or Stack It Up High Enough

There are lots of ways that we might build out the memory capacity and memory bandwidth of compute engines to drive AI and HPC workloads better than we have been able to do thus far. …

We Can’t Get Enough HBM, Or Stack It Up High Enough was written by Timothy Prickett Morgan at The Next Platform.

D2DO256: Alkira’s Universal Transit: Simplifying Hybrid & Multi-Cloud Networks (Sponsored)

Exploring Internet traffic shifts and cyber attacks during the 2024 US election

Elections are not just a matter of casting ballots. They depend on citizens being able to register to vote and accessing information about candidates and the election process, which in turn depend on the strength and security of the Internet. Despite the risks posed by potential cyberattacks aimed to disrupt democracy, Cloudflare did not observe any significant disruptions to campaigns or local government websites from cyberattack.

Tuesday, November 5, 2024 was Election Day in the United States. It not only decided the next president and vice president but also included elections for the US Senate, House of Representatives, state governorships, and state legislatures. Results confirm that Republican Donald Trump won the presidential election.

In this blog post, we examine online attacks against election-related sites — some of which were notable but none were disruptive — and how initial election results impacted Internet traffic across the US at both national and state levels, with increases in traffic as much as 15% nationwide. We’ll also explore email phishing trends and general DNS data around news interest, the candidates, and election-related activity.

We’ve been tracking 2024 elections globally through our blog and election report on Cloudflare Radar, covering some of the more Continue reading