https://docs.mitigator.ru/v26.04/en/tags/configuration/ Recent content in Configuration on BIFIT Mitigator Hugo -- gohugo.io en https://docs.mitigator.ru/v26.04/en/maintenance/reconfig/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/maintenance/reconfig/ Apply changes to any configuration files in /srv/mitigator: systemctl reload mitigator This may restart the relevant MITIGATOR components. After changing network ports (editing file /etc/systemd/system/mitigator.service.d/nics.conf) run: systemctl daemon-reload && \ systemctl restart mitigator This will turn the MITIGATOR completely off and on again. Related Content Access to the Grafana Interface Administrator Tasks Backup Configuring Tiered Protection with MITIGATOR Core Isolation for Performance Optimization Graphite on a Separate Server Incident Chart Update Period Packet Processor Settings Pgfailover Documentation Previous Version Restore https://docs.mitigator.ru/v26.04/en/kb/graphite/grafana/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/graphite/grafana/ MITIGATOR comes with Grafana which can be used to create custom dashboards. See the Grafana documentation to understand exactly how to do this. To gain access to the Grafana web interface, you need to set up the service, which is disabled by default. You can temporarily do this with the following command: docker-compose up -d --scale grafana=1 grafana To enable grafana permanently, you need to change scale from 0 to 1 in docker-compose. https://docs.mitigator.ru/v26.04/en/kb/isolcpus/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/isolcpus/ By default, the CPU cores that work with network ports are also used by other subsystems. This can degrade performance and cause Input Errors pps/bps spikes on Port extX/intX graphs. You can take some of the load off these cores by preventing non-critical subsystems from running on them. To do so: Specify isolation of the packet processor cores in the core options through the isolcpus=... and rcu_nocbs=... parameters. It is also recommended to add mitigations=off to disable core security patches. https://docs.mitigator.ru/v26.04/en/kb/graphite/grafbase/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/graphite/grafbase/ Moving Graphite to a separate server allows you to split the load between two servers. Until the metrics archive is transferred, only new graphs can be viewed in the MITIGATOR interface. Further in the text Server1 is the server with MITIGATOR, Server2 is the server to which the transfer is being performed. It is assumed that Server2 already has Docker and docker-compose installed and has a way to deliver the filebase from Server1 to Server2 (the amount of data can be more than 100 GB depending on the number of policies). https://docs.mitigator.ru/v26.04/en/kb/graphite/clickhouse-conf/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/graphite/clickhouse-conf/ Конфигурационные параметры ClickHouse делятся на пользовательские и серверные. Узнать про структуру файлов и их расположение можно в официальной документации. При конфигурации модуля хранения метрик в MITIGATOR нужно учитывать следующее: корневой элемент конфигурационных файлов — <yandex> пользовательские файлы конфигураций следует размещать в /etc/clickhouse-server/users.d внутри контейнера clickhouse файлы конфигурации сервера следует размещать в /etc/clickhouse-server/config.dвнутри контейнера clickhouse Как сконфигурировать ClickHouse на примере ограничения используемой оперативной памяти сервером до 50Гб: Создать файл custom.xml с необходимыми параметрами https://docs.mitigator.ru/v26.04/en/kb/graphite/ext-grafana/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/graphite/ext-grafana/ Чтобы внешняя Grafana могла получать данные с Graphite нужно пробросить порт 3080 из контейнера, для чего: Cоздать, либо дополнить docker-compose.override.yml следующим: services: gateway: ports: - "13080:3080" Перезапустить MITIGATOR: docker-compose down && docker-compose up -d В Web-интерфейсе Grafana добавить источник данных: Выбрать тип Graphite и указать внешний адрес: Related Content Graphite on a Separate Server Access to the Grafana Interface Setting the Storage Time for Metrics in Graphite Using a Single Graphite for Multiple MITIGATOR Clusters Exporting Metrics to Prometheus Изменение конфигурационных параметров ClickHouse Challenge-response Authentication Module for HTTP/HTTPS Configuration Change Configuring Tiered Protection with MITIGATOR Core Isolation for Performance Optimization https://docs.mitigator.ru/v26.04/en/kb/echelon/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/echelon/ The most effective approach to DDoS protection is a tiered defense architecture, in which surgical filtering of traffic entering the protected network is performed by an on-premise device at the network border, while mitigation mechanisms at the upstream telecom operator level prevent the channel from being saturated. Always on protection at the upstream telecom operator side can cause problems and negatively affect legitimate traffic, so it should be activated only when necessary. https://docs.mitigator.ru/v26.04/en/kb/incidents/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/incidents/ The default update period for incident graphs is 60 seconds. For the convenience of working with incident charts, you may need to change the period for their update: Create a file incident.yml and put following in it: services: backend: environment: INCIDENT_UPDATE_PERIOD: "30" Where 30 is the update period value in seconds. In the .env file, set the incident.yml variable: COMPOSE_FILE=docker-compose.yml:docker-compose.override.yml:incident.yml Restart MITIGATOR: systemctl restart mitigator Related Content Access to the Grafana Interface Configuration Change Configuring Tiered Protection with MITIGATOR Core Isolation for Performance Optimization Graphite on a Separate Server Packet Processor Settings Pgfailover Documentation Setting the Storage Time for Metrics in Graphite System Setup for Mellanox (NVIDIA) Adapters Using a Single Graphite for Multiple MITIGATOR Clusters https://docs.mitigator.ru/v26.04/en/kb/dataplane.conf/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/dataplane.conf/ The packet processor is configured through the dataplane.conf file. Put the file into the MITIGATOR working directory and set the required parameters. Other parameters will have the default values. Comments are specified with #, // or /* */. Available parameters (with default values): # Control socket bind address. control_address: 0.0.0.0 # Control socket TCP port. # [1, 65535] control_port: 8888 # Debug control socket TCP port. # [1, 65535] debug_port: 8889 # gRPC control socket TCP port. https://docs.mitigator.ru/v26.04/en/kb/pgfailover/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/pgfailover/ pgfailover monitors the state of a PostgreSQL cluster and acts as a TCP proxy for clients, directing them to the current Primary. When the Primary changes, pgfailover terminates client connections, and they must reconnect. Connection parameters are specified via environment variables with the PGFAILOVER_ prefix: export PGFAILOVER_BIND_ADDRESS=":5432" export PGFAILOVER_SERVERS="postgres://repuser@pg0.example.com/database?sslmode=disable&connect_timeout=5 postgres://repuser@pg1.example.com/database?sslmode=disable&connect_timeout=5" ./pgfailover The server role (Primary/Standby) is checked using pg_is_in_recovery(), by default every 5 seconds (PGFAILOVER_INTERVAL), with the number of connection attempts controlled by the PGFAILOVER_ATTEMPTS environment variable (default: 1). https://docs.mitigator.ru/v26.04/en/kb/graphite/retention/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/graphite/retention/ MITIGATOR stores graph data in Graphite-ClickHouse. Fresh data is stored with a smaller sparsity, then thinned out: Term Sparcity Less than a day 5 seconds day to week 10 seconds week to month 1 minute month to 145 days 5 minutes Over 145 days 10 minutes The retention times are not cumulative, i.e. data for the last day of the last week is stored at a 5 second spacing, and the next 6 days (not 7) are stored at a 10 second spacing. https://docs.mitigator.ru/v26.04/en/kb/mellanox/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/mellanox/ System preparation Working with Mellanox (NVIDIA) cards requires the latest driver and device firmware NVIDIA MLNX_OFED. Using the provided link select the latest version of MLNX_OFED for the required distribution of the operating system in the table Current Versions of the Download section. Select the closest version of the OS if the required version is missing. Skip MLNX_OFED installation if the required OS is missing in the list. Tested to work on Debian 10+ and Ubuntu 20. https://docs.mitigator.ru/v26.04/en/kb/graphite/onegraphite/ Mon, 01 Jan 0001 00:00:00 +0000 https://docs.mitigator.ru/v26.04/en/kb/graphite/onegraphite/ Using a single Graphite for several MITIGATOR instances makes it possible to reduce the load on the computing resources of traffic processing complexes, simplify administration and set up complex monitoring. Set up The setup is similar to migration of Graphite to a separate server. If you have a host with Graphite configured, you must skip to the Configuring MITIGATOR to work with External Shared Graphite step. Create a directory for the services: