Nyob zoo Habr, kuv lub npe yog Ilya, Kuv ua haujlwm hauv pab pawg platform ntawm Exness. Peb tsim thiab siv cov txheej txheem tseem ceeb hauv cov khoom siv uas peb pab pawg tsim khoom siv.
Hauv tsab xov xwm no, kuv xav qhia kuv qhov kev paub dhau los ntawm kev siv encrypted SNI (ESNI) thev naus laus zis hauv kev tsim kho vaj tsev ntawm cov vev xaib pej xeem.

Kev siv cov thev naus laus zis no yuav nce qib kev ruaj ntseg thaum ua haujlwm nrog lub vev xaib pej xeem thiab ua raws li cov qauv kev ruaj ntseg sab hauv tau txais los ntawm Lub Tuam Txhab.
Ua ntej tshaj plaws, kuv xav taw qhia tias cov thev naus laus zis tsis yog tus qauv thiab tseem nyob hauv cov qauv, tab sis CloudFlare thiab Mozilla twb txhawb nqa nws (hauv ). Qhov no txhawb peb rau qhov kev sim no.
Ib qho kev xav ntawm me ntsis
ESNI yog qhov txuas ntxiv rau TLS 1.3 raws tu qauv uas tso cai rau SNI encryption hauv TLS tuav tes "Client Hello" lus. Nov yog qhov Client Hello zoo li nrog ESNI kev txhawb nqa (tsis yog SNI ib txwm peb pom ESNI):

Txhawm rau siv ESNI, koj xav tau peb yam:
- DNS;
- Cov neeg siv khoom txhawb nqa;
- Server sab txhawb.
DNS
Koj yuav tsum ntxiv ob cov ntaub ntawv DNS - Athiab TXT (Cov ntaub ntawv TXT muaj cov yuam sij rau pej xeem uas tus neeg siv tuaj yeem nkag mus rau SNI) - saib hauv qab no. Tsis tas li ntawd, yuav tsum muaj kev txhawb nqa DoH (DNS dhau HTTPS) vim tias muaj cov neeg siv khoom (saib hauv qab) tsis pab ESNI kev txhawb nqa yam tsis muaj DoH. Qhov no yog qhov laj thawj, txij li ESNI txhais tau hais tias encryption ntawm lub npe ntawm cov peev txheej peb nkag mus, uas yog, nws tsis muaj kev nkag siab nkag mus rau DNS dhau UDP. Ntxiv mus, kev siv tso cai rau koj los tiv thaiv cache lom tawm tsam hauv qhov xwm txheej no.
Tam sim no muaj , ntawm lawv:
CloudFlare (Saib Kuv Browser β Encrypted SNI β Kawm Ntxiv) tias lawv cov servers twb txhawb ESNI, uas yog, rau CloudFlare servers hauv DNS peb muaj tsawg kawg yog ob cov ntaub ntawv - A thiab TXT. Hauv qhov piv txwv hauv qab no peb nug Google DNS (dhau HTTPS):
Π nkag:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT cov ntaub ntawv, thov yog generated raws li ib tug template _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Yog li, los ntawm DNS kev xav, peb yuav tsum siv DoH (zoo dua nrog DNSSEC) thiab ntxiv ob qhov nkag.
Cov neeg siv khoom txhawb nqa
Yog tias peb tham txog browsers, ces tam sim no . Nov yog cov lus qhia yuav ua li cas qhib ESNI thiab DoH kev txhawb nqa hauv FireFox. Tom qab qhov browser tau teeb tsa, peb yuav tsum pom qee yam zoo li no:

mus xyuas qhov browser.
Tau kawg, TLS 1.3 yuav tsum tau siv los txhawb ESNI, vim ESNI yog qhov txuas ntxiv rau TLS 1.3.
Rau lub hom phiaj ntawm kev sim cov backend nrog ESNI kev txhawb nqa, peb tau siv cov neeg siv khoom go, Tab sis ntxiv rau qhov ntawd tom qab.
Server sab txhawb
Tam sim no, ESNI tsis tau txais kev txhawb nqa los ntawm lub vev xaib servers zoo li nginx / apache, thiab lwm yam, txij li lawv ua haujlwm nrog TLS ntawm OpenSSL / BoringSSL, uas tsis raug txhawb nqa ESNI.
Yog li ntawd, peb tau txiav txim siab los tsim peb tus kheej lub hauv ntej-kawg tivthaiv (ESNI thim rov qab npe), uas yuav txhawb nqa TLS 1.3 kev txiav tawm nrog ESNI thiab npe HTTP(S) kev khiav mus rau sab saud, uas tsis txhawb ESNI. Qhov no tso cai rau cov thev naus laus zis los siv rau hauv cov txheej txheem uas twb muaj lawm, tsis tas yuav hloov cov khoom tseem ceeb - uas yog, siv cov web servers tam sim no uas tsis txhawb ESNI.
Rau clarity, ntawm no yog ib daim duab:

Kuv nco ntsoov tias lub npe tau tsim los nrog lub peev xwm los txiav tawm TLS kev sib txuas yam tsis muaj ESNI, los txhawb cov neeg siv khoom yam tsis muaj ESNI. Tsis tas li, txoj kev sib txuas lus nrog cov dej ntws tuaj yeem yog HTTP lossis HTTPS nrog TLS version qis dua 1.3 (yog tias cov dej ntws tsis txhawb nqa 1.3). Cov txheej txheem no muab qhov yooj yim tshaj plaws.
Kev siv ntawm ESNI kev txhawb nqa ntawm go peb qiv los ntawm . Kuv xav kom nco ntsoov tam sim ntawd tias qhov kev siv nws tus kheej yog qhov tsis tseem ceeb, vim nws cuam tshuam nrog kev hloov pauv hauv cov tsev qiv ntawv tus qauv crypto/tls thiab yog li ntawd yuav tsum tau "patching" GOROOT ua ntej sib dhos.
Txhawm rau tsim ESNI yuam sij peb siv (tseem yog lub hlwb ntawm CloudFlare). Cov yawm sij no yog siv rau SNI encryption/decryption.
Peb tau sim qhov kev tsim kho siv go 1.13 rau Linux (Debian, Alpine) thiab MacOS.
Ob peb lo lus hais txog kev ua haujlwm
ESNI thim rov qab tso cai muab cov ntsuas ntsuas hauv Prometheus hom, xws li rps, nce latency & cov lej teb, ua tsis tiav / ua tiav TLS tuav tes & TLS tuav tes ntev. Thaum xub thawj siab ib muag, qhov no zoo nkaus li txaus los ntsuas seb tus neeg sawv cev tswj kev khiav tsheb li cas.
Peb kuj tau ua qhov kev kuaj load ua ntej siv. Cov txiaj ntsig hauv qab no:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Peb tau ua tiav qhov kev kuaj xyuas kom zoo los sib piv cov tswv yim siv ESNI thim rov qab npe thiab tsis muaj. Peb "pob" tsheb hauv zos kom tshem tawm "kev cuam tshuam" hauv cov khoom nruab nrab.
Yog li, nrog ESNI kev txhawb nqa thiab tso npe mus rau ntws los ntawm HTTP, peb tau txais ib ncig ntawm ~ 550 rps los ntawm ib qho piv txwv, nrog rau qhov nruab nrab CPU / RAM noj ntawm ESNI thim rov qab npe:
- 80% Kev Siv CPU (4 vCPU, 4 GB RAM hosts, Linux)
- 130 MB Mem RSS

Rau kev sib piv, RPS rau tib lub nginx nce siab yam tsis muaj TLS (HTTP raws tu qauv) txiav tawm yog ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' β-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Qhov muaj cov sijhawm tsis ua haujlwm qhia tau tias tsis muaj cov peev txheej txaus (peb siv 4 vCPU, 4 GB RAM hosts, Linux), thiab qhov tseeb RPS muaj peev xwm siab dua (peb tau txais cov lej txog li 2700 RPS ntawm cov peev txheej muaj zog dua).
Hauv kev xaus, kuv sau tseg tias ESNI thev naus laus zis zoo li pheej hmoo heev. Tseem muaj ntau cov lus nug qhib, piv txwv li, cov teeb meem ntawm kev khaws cov pej xeem ESNI tus yuam sij hauv DNS thiab tig ESNI cov yuam sij - cov teeb meem no tau sib tham, thiab qhov tseeb version ntawm ESNI tsab ntawv (thaum lub sijhawm sau ntawv) yog lawm. .
Tau qhov twg los: www.hab.com
