OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of dragoangel »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - dragoangel

Pages: [1]
1
23.7 Legacy Series / Re: Rspamd - Central Redis
« on: May 26, 2024, 04:11:48 pm »
Quote from: itngo on October 06, 2023, 02:25:26 pm
Quote from: mimugmail on October 06, 2023, 01:28:17 pm
You can do a port forward on localhost to redisport via the external redisdb

And can this be an "Central" Opnsense we have? Currently we do this for MalTrail-Sensors and vor Central-Management of IPS, Dashboard, Tunables.... so can the RedisDB on opnsense be the target for about 30 other opnsense, even reachable only by WAN with latency?

Not the best idea to do as:
1. rspamd do not speak to redis itself over ssl as this unstable, only stunnel is supported, you will need add extra care.
2. delay is not so critical for writes, but for reads - well, it's better to be quick, so instead of trying connect rspamd to redis which is located far away better:
a) connect redis replica to remote redis master and point rspamd to local replica for reads and remote master for writes. Rspamd using non blocking operations, so writes to redis by modules (like bayes, neural & reputation & learning etc) usually done after scanning email. And would repeat - tls not supported directly, but stunnel is - if you not using VPN to reach master, you must use this one to not speak to redis over web without encryption.
b) you can consider using rspamd over http or https instead of using rspamd per server at all. this possible by using /checkv2 endpoint. If you need connect something via milter - you setup rspamd-proxy and configure it to scan over remote rspam-normal worker which can be somewhere in far away location. This also allow you to spin up many rspamd normals balanced by some haproxy as example, here is how it looks: https://rspamd.com/doc/workers/rspamd_proxy.html#proxy-mode need to mention that rspamd has option to compress data from rspamd-proxy (milter) to rspamd-normal with zstd and encrypt it with own encryption similar to mTLS but a bit different one, this will secure your connection even over web without https. For cases when you don't need milter, but need rspamd-normal /checkv2 directly (zonemta as example) - you can point it to haproxy that will add ssl over plain rspamd-normal endpoint

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2