npm - blockmine - Versions diffs - 1.21.0 → 1.23.0 - Mend

blockmine 1.21.0 → 1.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (492) hide show

package/.claude/skills/network-engineering/resources/load-balancing.md ADDED Viewed

@@ -0,0 +1,820 @@
+# Load Balancing
+Comprehensive guide to load balancing covering algorithms, protocols, health checks, and implementation across different platforms including HAProxy, nginx, and cloud-native load balancers.
+## Table of Contents
+- [Overview](#overview)
+- [Load Balancer Types](#load-balancer-types)
+- [Load Balancing Algorithms](#load-balancing-algorithms)
+- [Health Checks](#health-checks)
+- [SSL/TLS Termination](#ssltls-termination)
+- [Session Persistence](#session-persistence)
+- [Cloud Load Balancers](#cloud-load-balancers)
+- [HAProxy Configuration](#haproxy-configuration)
+- [Nginx Load Balancing](#nginx-load-balancing)
+- [Kubernetes Ingress](#kubernetes-ingress)
+- [Best Practices](#best-practices)
+- [Anti-Patterns](#anti-patterns)
+## Overview
+Load balancing distributes network traffic across multiple servers to ensure high availability, optimal resource utilization, and improved application performance.
+**Key Benefits:**
+- High availability through redundancy
+- Horizontal scalability
+- Zero-downtime deployments
+- Traffic distribution optimization
+- SSL/TLS offloading
+- Protection against DDoS attacks
+## Load Balancer Types
+### Layer 4 (Transport Layer)
+**Characteristics:**
+- Operates at TCP/UDP level
+- Routes based on IP address and port
+- Fast, low latency
+- Protocol-agnostic
+- Cannot inspect application data
+**Use Cases:**
+- High-throughput applications
+- Non-HTTP protocols
+- UDP load balancing
+- Simple TCP pass-through
+**Example: AWS Network Load Balancer (NLB)**
+```yaml
+# NLB via Terraform
+resource "aws_lb" "network" {
+  name               = "app-nlb"
+  internal           = false
+  load_balancer_type = "network"
+  subnets            = var.public_subnet_ids
+  enable_cross_zone_load_balancing = true
+  enable_deletion_protection       = true
+  tags = {
+    Name        = "app-nlb"
+    Environment = "production"
+  }
+}
+resource "aws_lb_target_group" "tcp" {
+  name     = "app-tcp-targets"
+  port     = 8080
+  protocol = "TCP"
+  vpc_id   = var.vpc_id
+  health_check {
+    enabled             = true
+    interval            = 30
+    port                = "traffic-port"
+    protocol            = "TCP"
+    healthy_threshold   = 3
+    unhealthy_threshold = 3
+  }
+  deregistration_delay = 30
+}
+resource "aws_lb_listener" "tcp" {
+  load_balancer_arn = aws_lb.network.arn
+  port              = 443
+  protocol          = "TCP"
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tcp.arn
+  }
+}
+```
+### Layer 7 (Application Layer)
+**Characteristics:**
+- Operates at HTTP/HTTPS level
+- Content-based routing
+- SSL termination
+- Request inspection
+- URL/header-based routing
+- WebSocket support
+**Use Cases:**
+- HTTP/HTTPS applications
+- Microservices routing
+- A/B testing
+- Canary deployments
+- API gateways
+**Example: AWS Application Load Balancer (ALB)**
+```yaml
+# ALB with path-based routing
+resource "aws_lb" "application" {
+  name               = "app-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb.id]
+  subnets            = var.public_subnet_ids
+  enable_deletion_protection = true
+  enable_http2              = true
+  enable_waf                = true
+  access_logs {
+    bucket  = aws_s3_bucket.alb_logs.id
+    enabled = true
+  }
+}
+resource "aws_lb_target_group" "api" {
+  name     = "api-targets"
+  port     = 8080
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+  health_check {
+    enabled             = true
+    path                = "/health"
+    port                = "traffic-port"
+    protocol            = "HTTP"
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 5
+    interval            = 30
+    matcher             = "200"
+  }
+  stickiness {
+    type            = "lb_cookie"
+    cookie_duration = 86400
+    enabled         = true
+  }
+  deregistration_delay = 30
+}
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.application.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  certificate_arn   = var.certificate_arn
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.api.arn
+  }
+}
+# Path-based routing
+resource "aws_lb_listener_rule" "api_v2" {
+  listener_arn = aws_lb_listener.https.arn
+  priority     = 100
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.api_v2.arn
+  }
+  condition {
+    path_pattern {
+      values = ["/api/v2/*"]
+    }
+  }
+}
+# Header-based routing
+resource "aws_lb_listener_rule" "canary" {
+  listener_arn = aws_lb_listener.https.arn
+  priority     = 50
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.canary.arn
+  }
+  condition {
+    http_header {
+      http_header_name = "X-Canary-Version"
+      values           = ["v2"]
+    }
+  }
+}
+```
+### Global Load Balancers
+**Characteristics:**
+- Geographic distribution
+- DNS-based routing
+- Multi-region failover
+- Latency-based routing
+**Example: AWS Global Accelerator**
+```hcl
+resource "aws_globalaccelerator_accelerator" "main" {
+  name            = "app-accelerator"
+  ip_address_type = "IPV4"
+  enabled         = true
+  attributes {
+    flow_logs_enabled   = true
+    flow_logs_s3_bucket = aws_s3_bucket.flow_logs.id
+  }
+}
+resource "aws_globalaccelerator_listener" "main" {
+  accelerator_arn = aws_globalaccelerator_accelerator.main.id
+  protocol        = "TCP"
+  port_range {
+    from_port = 443
+    to_port   = 443
+  }
+}
+resource "aws_globalaccelerator_endpoint_group" "us_east" {
+  listener_arn = aws_globalaccelerator_listener.main.id
+  endpoint_group_region = "us-east-1"
+  health_check_interval_seconds = 30
+  health_check_path            = "/health"
+  health_check_port            = 443
+  health_check_protocol        = "HTTPS"
+  threshold_count              = 3
+  traffic_dial_percentage      = 100
+  endpoint_configuration {
+    endpoint_id = aws_lb.us_east.arn
+    weight      = 100
+  }
+}
+resource "aws_globalaccelerator_endpoint_group" "eu_west" {
+  listener_arn = aws_globalaccelerator_listener.main.id
+  endpoint_group_region = "eu-west-1"
+  traffic_dial_percentage = 100
+  endpoint_configuration {
+    endpoint_id = aws_lb.eu_west.arn
+    weight      = 100
+  }
+}
+```
+## Load Balancing Algorithms
+### Round Robin
+**How it works:** Distributes requests sequentially across all servers.
+**Pros:**
+- Simple and fair distribution
+- No state required
+- Works well with identical servers
+**Cons:**
+- Doesn't account for server load
+- Not suitable for varying server capacities
+**Configuration:**
+```nginx
+upstream backend {
+    server backend1.example.com;
+    server backend2.example.com;
+    server backend3.example.com;
+}
+```
+### Weighted Round Robin
+**How it works:** Distributes based on assigned weights.
+```nginx
+upstream backend {
+    server backend1.example.com weight=3;  # Gets 3x traffic
+    server backend2.example.com weight=2;  # Gets 2x traffic
+    server backend3.example.com weight=1;  # Gets 1x traffic
+}
+```
+### Least Connections
+**How it works:** Routes to server with fewest active connections.
+**Best for:** Long-lived connections, varying request durations
+```nginx
+upstream backend {
+    least_conn;
+    server backend1.example.com;
+    server backend2.example.com;
+    server backend3.example.com;
+}
+```
+### IP Hash
+**How it works:** Hash client IP to determine server.
+**Best for:** Session persistence, sticky sessions
+```nginx
+upstream backend {
+    ip_hash;
+    server backend1.example.com;
+    server backend2.example.com;
+    server backend3.example.com;
+}
+```
+### Consistent Hashing
+**How it works:** Hash-based distribution with minimal disruption on server changes.
+```haproxy
+backend app_servers
+    balance hdr(X-User-ID)
+    hash-type consistent
+    server app1 10.0.1.10:8080 check
+    server app2 10.0.1.11:8080 check
+    server app3 10.0.1.12:8080 check
+```
+## Health Checks
+### Active Health Checks
+**HTTP/HTTPS Health Checks:**
+```yaml
+# Kubernetes Liveness Probe
+livenessProbe:
+  httpGet:
+    path: /health
+    port: 8080
+    httpHeaders:
+    - name: X-Health-Check
+      value: "true"
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 3
+  successThreshold: 1
+# Kubernetes Readiness Probe
+readinessProbe:
+  httpGet:
+    path: /ready
+    port: 8080
+  initialDelaySeconds: 5
+  periodSeconds: 5
+  timeoutSeconds: 3
+  failureThreshold: 3
+  successThreshold: 1
+```
+**TCP Health Checks:**
+```haproxy
+backend mysql_servers
+    mode tcp
+    balance leastconn
+    option tcp-check
+    tcp-check connect port 3306
+    server mysql1 10.0.1.20:3306 check inter 2s rise 2 fall 3
+    server mysql2 10.0.1.21:3306 check inter 2s rise 2 fall 3
+```
+### Passive Health Checks
+**Circuit Breaker Pattern:**
+```nginx
+upstream backend {
+    server backend1.example.com max_fails=3 fail_timeout=30s;
+    server backend2.example.com max_fails=3 fail_timeout=30s;
+    server backend3.example.com max_fails=3 fail_timeout=30s;
+}
+```
+## SSL/TLS Termination
+### HAProxy SSL Termination
+```haproxy
+global
+    maxconn 4096
+    tune.ssl.default-dh-param 2048
+frontend https_frontend
+    bind *:443 ssl crt /etc/haproxy/certs/site.pem alpn h2,http/1.1
+    # Security headers
+    http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
+    http-response set-header X-Frame-Options "SAMEORIGIN"
+    http-response set-header X-Content-Type-Options "nosniff"
+    # Redirect HTTP to HTTPS
+    redirect scheme https code 301 if !{ ssl_fc }
+    default_backend app_servers
+backend app_servers
+    balance roundrobin
+    option httpchk GET /health
+    http-check expect status 200
+    server app1 10.0.1.10:8080 check
+    server app2 10.0.1.11:8080 check
+```
+### Nginx SSL Termination
+```nginx
+server {
+    listen 443 ssl http2;
+    server_name app.example.com;
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;
+    # Modern SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    location / {
+        proxy_pass http://backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+## Session Persistence
+### Cookie-Based Persistence
+```haproxy
+backend app_servers
+    balance roundrobin
+    # Insert cookie for session stickiness
+    cookie SERVERID insert indirect nocache
+    server app1 10.0.1.10:8080 check cookie app1
+    server app2 10.0.1.11:8080 check cookie app2
+    server app3 10.0.1.12:8080 check cookie app3
+```
+### Application-Controlled Sessions
+```nginx
+upstream backend {
+    hash $cookie_session_id consistent;
+    server backend1.example.com;
+    server backend2.example.com;
+    server backend3.example.com;
+}
+```
+## Cloud Load Balancers
+### AWS Load Balancer Comparison
+```
+Feature              ALB          NLB           GLB
+Layer                7            4             4
+Protocol             HTTP/HTTPS   TCP/UDP/TLS   Any IP
+Routing              Content      Connection    Network
+Static IP            No           Yes           No
+PrivateLink          Yes          Yes           No
+WebSocket            Yes          Yes           No
+gRPC                 Yes          Yes           No
+Lambda Target        Yes          No            No
+```
+### GCP Load Balancer
+```yaml
+# GCP HTTP(S) Load Balancer via Terraform
+resource "google_compute_global_forwarding_rule" "https" {
+  name       = "app-https-forwarding-rule"
+  target     = google_compute_target_https_proxy.default.id
+  port_range = "443"
+  ip_address = google_compute_global_address.default.address
+}
+resource "google_compute_target_https_proxy" "default" {
+  name             = "app-https-proxy"
+  url_map          = google_compute_url_map.default.id
+  ssl_certificates = [google_compute_ssl_certificate.default.id]
+}
+resource "google_compute_url_map" "default" {
+  name            = "app-url-map"
+  default_service = google_compute_backend_service.default.id
+  host_rule {
+    hosts        = ["app.example.com"]
+    path_matcher = "allpaths"
+  }
+  path_matcher {
+    name            = "allpaths"
+    default_service = google_compute_backend_service.default.id
+    path_rule {
+      paths   = ["/api/v2/*"]
+      service = google_compute_backend_service.api_v2.id
+    }
+  }
+}
+resource "google_compute_backend_service" "default" {
+  name          = "app-backend-service"
+  protocol      = "HTTP"
+  timeout_sec   = 30
+  health_checks = [google_compute_health_check.default.id]
+  backend {
+    group           = google_compute_instance_group.us_central1.id
+    balancing_mode  = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
+  backend {
+    group           = google_compute_instance_group.us_east1.id
+    balancing_mode  = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
+  log_config {
+    enable      = true
+    sample_rate = 1.0
+  }
+}
+resource "google_compute_health_check" "default" {
+  name                = "app-health-check"
+  check_interval_sec  = 10
+  timeout_sec         = 5
+  healthy_threshold   = 2
+  unhealthy_threshold = 3
+  http_health_check {
+    port         = 8080
+    request_path = "/health"
+  }
+}
+```
+## HAProxy Configuration
+```haproxy
+global
+    log /dev/log local0
+    maxconn 4096
+    user haproxy
+    group haproxy
+    daemon
+    # SSL settings
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+    stats socket /run/haproxy/admin.sock mode 660 level admin
+    stats timeout 30s
+defaults
+    log     global
+    mode    http
+    option  httplog
+    option  dontlognull
+    option  http-server-close
+    option  forwardfor except 127.0.0.0/8
+    option  redispatch
+    retries 3
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+frontend stats
+    bind *:8404
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+    stats auth admin:password
+frontend http_frontend
+    bind *:80
+    redirect scheme https code 301
+frontend https_frontend
+    bind *:443 ssl crt /etc/haproxy/certs/
+    # Rate limiting
+    stick-table type ip size 100k expire 30s store http_req_rate(10s)
+    http-request track-sc0 src
+    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
+    # ACLs for routing
+    acl is_api path_beg /api
+    acl is_admin path_beg /admin
+    acl is_static path_end .jpg .png .css .js
+    use_backend api_servers if is_api
+    use_backend admin_servers if is_admin
+    use_backend static_servers if is_static
+    default_backend app_servers
+backend app_servers
+    balance roundrobin
+    option httpchk GET /health HTTP/1.1\r\nHost:\ localhost
+    http-check expect status 200
+    server app1 10.0.1.10:8080 check inter 2s rise 2 fall 3 maxconn 1000
+    server app2 10.0.1.11:8080 check inter 2s rise 2 fall 3 maxconn 1000
+    server app3 10.0.1.12:8080 check inter 2s rise 2 fall 3 maxconn 1000
+backend api_servers
+    balance leastconn
+    option httpchk GET /api/health
+    server api1 10.0.2.10:8080 check
+    server api2 10.0.2.11:8080 check
+```
+## Nginx Load Balancing
+```nginx
+http {
+    upstream backend {
+        least_conn;
+        server backend1.example.com:8080 max_fails=3 fail_timeout=30s;
+        server backend2.example.com:8080 max_fails=3 fail_timeout=30s;
+        server backend3.example.com:8080 max_fails=3 fail_timeout=30s;
+        # Backup server
+        server backup.example.com:8080 backup;
+        keepalive 32;
+    }
+    upstream api_backend {
+        hash $request_uri consistent;
+        server api1.example.com:8080;
+        server api2.example.com:8080;
+        keepalive 32;
+    }
+    server {
+        listen 80;
+        server_name app.example.com;
+        return 301 https://$server_name$request_uri;
+    }
+    server {
+        listen 443 ssl http2;
+        server_name app.example.com;
+        ssl_certificate /etc/nginx/ssl/cert.pem;
+        ssl_certificate_key /etc/nginx/ssl/key.pem;
+        location / {
+            proxy_pass http://backend;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            # Timeouts
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
+            # Buffering
+            proxy_buffering on;
+            proxy_buffer_size 4k;
+            proxy_buffers 8 4k;
+        }
+        location /api/ {
+            proxy_pass http://api_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+        }
+        location /health {
+            access_log off;
+            return 200 "healthy\n";
+            add_header Content-Type text/plain;
+        }
+    }
+}
+```
+## Kubernetes Ingress
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: app-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/rate-limit: "100"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/affinity: "cookie"
+    nginx.ingress.kubernetes.io/session-cookie-name: "route"
+    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
+spec:
+  tls:
+  - hosts:
+    - app.example.com
+    secretName: app-tls
+  rules:
+  - host: app.example.com
+    http:
+      paths:
+      - path: /api/v1
+        pathType: Prefix
+        backend:
+          service:
+            name: api-v1
+            port:
+              number: 8080
+      - path: /api/v2
+        pathType: Prefix
+        backend:
+          service:
+            name: api-v2
+            port:
+              number: 8080
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: frontend
+            port:
+              number: 80
+```
+## Best Practices
+1. **Always use health checks** - Detect and remove unhealthy instances
+2. **Enable connection draining** - Allow in-flight requests to complete
+3. **Use SSL/TLS termination** - Offload encryption from backends
+4. **Implement rate limiting** - Protect against abuse and DDoS
+5. **Enable access logs** - Debug issues and analyze traffic patterns
+6. **Use appropriate timeouts** - Prevent resource exhaustion
+7. **Configure proper session persistence** - When stateful sessions required
+8. **Enable monitoring and metrics** - Track performance and errors
+9. **Use multiple availability zones** - Ensure high availability
+10. **Test failover regularly** - Verify redundancy works
+## Anti-Patterns
+- **Single load balancer** - Creates single point of failure
+- **No health checks** - Sends traffic to failed instances
+- **Overly aggressive health checks** - Can overload backends
+- **No SSL/TLS** - Exposes traffic to interception
+- **Hard-coded server IPs** - Makes scaling difficult
+- **Insufficient connection limits** - Can exhaust resources
+- **No monitoring** - Can't detect issues
+- **Same health check and application port** - Can give false positives
+- **No timeout configuration** - Leads to resource leaks
+- **Ignoring connection draining** - Causes dropped requests during deployments