Sannu Habr, sunana Ilya, Ina aiki a cikin ƙungiyar dandamali a Exness. Muna haɓakawa da aiwatar da ainihin abubuwan abubuwan more rayuwa waɗanda ƙungiyoyin haɓaka samfuran mu ke amfani da su.
A cikin wannan labarin, zan so in raba gwaninta na aiwatar da ɓoyayyen fasahar SNI (ESNI) a cikin abubuwan more rayuwa na gidajen yanar gizon jama'a.
Amfani da wannan fasaha zai ƙara matakin tsaro yayin aiki tare da gidan yanar gizon jama'a kuma ya bi ka'idodin tsaro na cikin gida da Kamfanin ya ɗauka.
Da farko, Ina so in nuna cewa fasahar ba ta daidaita ba kuma har yanzu tana cikin daftarin, amma CloudFlare da Mozilla sun riga sun goyi bayansa (a cikin ). Wannan ya motsa mu don irin wannan gwaji.
A bit of ka'idar
ESNI kari ne ga ka'idar TLS 1.3 wacce ke ba da damar boye-boye na SNI a cikin musafin hannu TLS saƙon "Client Hello". Anan ga yadda Client Hello yayi kama da tallafin ESNI (maimakon SNI da muke gani ESNI):
Don amfani da ESNI, kuna buƙatar abubuwa uku:
- DNS;
- Tallafin abokin ciniki;
- Goyan bayan gefen uwar garke.
DNS
Kuna buƙatar ƙara bayanan DNS guda biyu - Akuma TXT (Rubutun TXT ya ƙunshi maɓallin jama'a wanda abokin ciniki zai iya ɓoye SNI da shi) - duba ƙasa. Bugu da kari, dole ne a sami tallafi DoH (DNS akan HTTPS) saboda akwai abokan ciniki (duba ƙasa) ba sa ba da damar tallafin ESNI ba tare da DoH ba. Wannan yana da ma'ana, tunda ESNI yana nufin ɓoye sunan albarkatun da muke shiga, wato, ba shi da ma'ana don shiga DNS akan UDP. Haka kuma, da amfani yana ba ku damar kariya daga harin guba na cache a cikin wannan yanayin.
Akwai a halin yanzu , tsakanin su:
CloudFlare (Duba My Browser → Rufaffen SNI → Koyi) cewa sabobin su sun riga sun goyi bayan ESNI, wato, don sabar CloudFlare a cikin DNS muna da aƙalla bayanan biyu - A da TXT. A cikin misalin da ke ƙasa muna tambayar Google DNS (a kan HTTPS):
А shigarwa:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT rikodi, ana buƙatar buƙatar bisa ga samfuri _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}Don haka, daga hangen nesa na DNS, ya kamata mu yi amfani da DoH (zai fi dacewa tare da DNSSEC) kuma mu ƙara shigarwar guda biyu.
Tallafin abokin ciniki
Idan muna magana ne game da masu bincike, to a halin yanzu . Anan akwai umarni kan yadda ake kunna tallafin ESNI da DoH a cikin FireFox. Bayan an saita browser, ya kamata mu ga wani abu kamar haka:
don duba mai binciken.
Tabbas, dole ne a yi amfani da TLS 1.3 don tallafawa ESNI, tunda ESNI haɓaka ce zuwa TLS 1.3.
Don manufar gwada ƙarshen baya tare da tallafin ESNI, mun aiwatar da abokin ciniki akan go, Amma fiye da haka daga baya.
Goyan bayan gefen uwar garke
A halin yanzu, ESNI ba sa goyan bayan sabar yanar gizo kamar nginx/apache, da sauransu, tunda suna aiki tare da TLS ta OpenSSL/BoringSSL, waɗanda ba su goyan bayan ESNI a hukumance.
Saboda haka, mun yanke shawarar ƙirƙirar namu bangaren gaba-gaba (ESNI reverse proxy), wanda zai goyi bayan ƙarewar TLS 1.3 tare da ESNI da proxy HTTP(S) zirga-zirga zuwa sama, wanda baya goyan bayan ESNI. Wannan yana ba da damar yin amfani da fasaha a cikin abubuwan more rayuwa da aka rigaya, ba tare da canza manyan abubuwan da aka haɗa ba - wato, ta amfani da sabar gidan yanar gizo na yanzu waɗanda ba sa tallafawa ESNI.
Don haske, ga zane:
Na lura cewa an tsara wakili tare da ikon ƙare haɗin TLS ba tare da ESNI ba, don tallafawa abokan ciniki ba tare da ESNI ba. Hakanan, ƙa'idar sadarwar da ke sama na iya zama ko dai HTTP ko HTTPS tare da sigar TLS ƙasa da 1.3 (idan sama baya goyan bayan 1.3). Wannan tsarin yana ba da mafi girman sassauci.
Aiwatar da tallafin ESNI akan go mun aro daga . Ina so in lura nan da nan cewa aiwatar da kansa ba shi da mahimmanci, tunda ya haɗa da canje-canje a daidaitaccen ɗakin karatu. crypto/tls don haka yana buƙatar "patching" GOROOT kafin taro.
Don ƙirƙirar maɓallan ESNI da muka yi amfani da su (har ila yau, CloudFlare na ƙwanƙwasa). Ana amfani da waɗannan maɓallan don ɓoyayye/rushewar SNI.
Mun gwada ginin ta amfani da go 1.13 akan Linux (Debian, Alpine) da MacOS.
Kalmomi kaɗan game da fasalulluka masu aiki
Wakilin juyi na ESNI yana ba da ma'auni a cikin tsarin Prometheus, kamar rps, latency na sama & lambobin amsawa, musafaha TLS da ya gaza/nasara & tsawon musafaha TLS. Da kallo na farko, wannan da alama ya isa a kimanta yadda wakili ke sarrafa zirga-zirga.
Mun kuma yi gwajin lodi kafin amfani. Sakamako a kasa:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB Mun gudanar da gwajin nauyi na inganci kawai don kwatanta makircin ta amfani da wakili na ESNI kuma ba tare da. Mun "zuba" zirga-zirga a cikin gida don kawar da "tsangwama" a cikin abubuwan tsaka-tsakin.
Don haka, tare da goyon bayan ESNI da proxying zuwa sama daga HTTP, mun sami kusan ~ 550 rps daga misali guda, tare da matsakaicin yawan CPU/RAM na ESNI mai juyawa:
- 80% Amfanin CPU (4 vCPU, 4 GB RAM runduna, Linux)
- 130 MB mem RSS
Don kwatancen, RPS don nginx iri ɗaya na sama ba tare da ƙarewar TLS (HTTP yarjejeniya) shine ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB Kasancewar lokaci-lokaci yana nuna cewa akwai ƙarancin albarkatu (mun yi amfani da 4 vCPUs, 4 GB RAM runduna, Linux), kuma a zahiri yuwuwar RPS ya fi girma (mun sami adadi har zuwa 2700 RPS akan ƙarin albarkatu masu ƙarfi).
A ƙarshe, na lura cewa fasahar ESNI tayi kyau sosai. Har yanzu akwai buɗaɗɗen tambayoyi da yawa, alal misali, batutuwan adana maɓalli na ESNI na jama'a a cikin DNS da jujjuya maɓallan ESNI - ana tattauna waɗannan batutuwan sosai, kuma sabon sigar ESNI daftarin (a lokacin rubutawa) an rigaya ya rigaya. .
source: www.habr.com