Otu esi echekwa webụsaịtị ọha gị na ESNI

Ndewo Habr, aha m bụ Ilya, m na-arụ ọrụ na otu ikpo okwu na Exness. Anyị na-etolite ma mejuputa akụrụngwa akụrụngwa nke otu mmepe ngwaahịa anyị na-eji.

N'ime edemede a, ọ ga-amasị m ịkekọrịta ahụmịhe m nke itinye teknụzụ SNI (ESNI) ezoro ezo na akụrụngwa nke weebụsaịtị ọha.

Otu esi echekwa webụsaịtị ọha gị na ESNI

Ojiji nke teknụzụ a ga-eme ka ọkwa nchekwa dịkwuo elu mgbe ị na-arụ ọrụ na ebe nrụọrụ weebụ ọha ma na-agbaso ụkpụrụ nchekwa nke ime ụlọ nke Ụlọ ọrụ ahụ kwadoro.

Nke mbụ, ọ ga-amasị m ịkọwapụta na teknụzụ anaghị ahazi ya ma ka nọ na nhazi ahụ, mana CloudFlare na Mozilla kwadoro ya (na. akwụkwọ01). Nke a kpaliri anyị maka nnwale dị otú ahụ.

A bit nke tiori

ESNI bụ ndọtị na protocol TLS 1.3 nke na-enye ohere izo ya ezo SNI na ozi aka aka TLS "Client Hello". Nke a bụ ihe Client Hello dị ka site na nkwado ESNI (kama SNI na-emebu anyị na-ahụ ESNI):

Otu esi echekwa webụsaịtị ọha gị na ESNI

 Iji jiri ESNI, ị ga-achọ ihe atọ:

  • DNS; 
  • Nkwado ndị ahịa;
  • Nkwado akụkụ nkesa.

DNS

Ịkwesịrị ịgbakwunye ndekọ DNS abụọ - Ana TXT (Ihe ndekọ TXT nwere igodo ọha nke onye ahịa nwere ike iji zoo SNI) - lee n'okpuru. Na mgbakwunye, a ga-enwerịrị nkwado DoH (DNS n'elu HTTPS) n'ihi na ndị ahịa dị (lee n'okpuru) anaghị eme nkwado ESNI na-enweghị DoH. Nke a bụ ihe ezi uche dị na ya, ebe ESNI na-egosi izo ya ezo nke aha akụrụngwa anyị na-enweta, ya bụ, ọ baghị uru ịnweta DNS n'elu UDP. Ọzọkwa, ojiji DNSSEC na-enye gị ohere ichebe megide mwakpo nsi nke cache na ọnọdụ a.

Dị ugbu a ọtụtụ ndị na-eweta DoH, n'etiti ha:

Igwe ojii kwuputa (Lelee ihe nchọgharị m → Encrypted SNI → Mụtakwuo) na sava ha na-akwado ESNI, ya bụ, maka sava CloudFlare na DNS anyị nwere opekata mpe ndekọ abụọ - A na TXT. N'ihe atụ dị n'okpuru, anyị na-ajụ Google DNS (n'elu HTTPS): 

А ntinye:

curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "www.cloudflare.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.210.9"
    },
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.209.9"
    }
  ]
}

TXT ndekọ, arịrịọ na-eme ka a template si dị _esni.FQDN:

curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16
    }
  ],
  "Answer": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16,
    "TTL": 1799,
    "data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
    }
  ],
  "Comment": "Response from 2400:cb00:2049:1::a29f:209."
}

Yabụ, site na echiche DNS, anyị kwesịrị iji DoH (ọkacha mma na DNSSEC) wee tinye ndenye abụọ. 

Nkwado ndị ahịa

Ọ bụrụ na anyị na-ekwu maka ihe nchọgharị, mgbe ahụ n'oge ahụ A na-emejuputa nkwado naanị na FireFox. ọ bụ Nke a bụ ntuziaka maka otu esi eme ka nkwado ESNI na DoH rụọ ọrụ na FireFox. Mgbe emechara ihe nchọgharị ahụ, anyị kwesịrị ịhụ ihe dị ka nke a:

Otu esi echekwa webụsaịtị ọha gị na ESNI

njikọ ka ịlele ihe nchọgharị ahụ.

N'ezie, TLS 1.3 ga-eji kwado ESNI, ebe ESNI bụ ndọtị na TLS 1.3.

Maka ebumnuche iji nkwado ESNI nwalee azụ azụ, anyị mebere onye ahịa ahụ go, Ma ọzọ na nke ahụ mechara.

Nkwado akụkụ nkesa

Ugbu a, ESNI anaghị akwado sava weebụ dị ka nginx/apache, wdg, ebe ha na TLS na-arụ ọrụ site na OpenSSL/BoringSSL, nke na-adịghị akwado ESNI n'ihu ọha.

Ya mere, anyị kpebiri ịmepụta akụkụ nke njedebe nke anyị (ESNI reverse proxy), nke ga-akwado nkwụsị TLS 1.3 na ESNI na proxy HTTP(S) okporo ụzọ gaa n'elu, nke na-adịghị akwado ESNI. Nke a na-enye ohere iji teknụzụ mee ihe na akụrụngwa dị adị, na-agbanweghị ihe ndị bụ isi - ya bụ, iji sava weebụ ugbu a na-akwadoghị ESNI. 

Maka idoanya, ebe a bụ eserese:

Otu esi echekwa webụsaịtị ọha gị na ESNI

Achọpụtara m na e mere proxy ahụ na ikike ịkwụsị njikọ TLS na-enweghị ESNI, iji kwado ndị ahịa na-enweghị ESNI. Ọzọkwa, usoro nkwukọrịta nwere ike ịbụ HTTP ma ọ bụ HTTPS nwere ụdị TLS dị ala karịa 1.3 (ọ bụrụ na elu anaghị akwado 1.3). Atụmatụ a na-enye mgbanwe kachasị.

Mmejuputa nkwado ESNI na go anyị gbaziri si Igwe ojii. Ọ ga-amasị m ịmara ozugbo na mmejuputa ya n'onwe ya abụghị ihe na-adịghị mkpa, ebe ọ gụnyere mgbanwe na ọba akwụkwọ ọkọlọtọ. crypto/tls ya mere ọ chọrọ "patching" GOROOT tupu mgbakọ.

Iji mepụta igodo ESNI anyị ji esnitool (bụkwa ụbụrụ CloudFlare). A na-eji igodo ndị a maka izo ya ezo/decryption SNI.
Anyị nwalere ihe owuwu ahụ site na iji go 1.13 na Linux (Debian, Alpine) na MacOS. 

Okwu ole na ole gbasara njirimara arụ ọrụ

ESNI reverse proxy na-enye metrics n'ụdị Prometheus, dị ka rps, mgbake elu & koodu nzaghachi, aka aka TLS dara/ gara nke ọma na oge aka aka TLS. Na ilele mbụ, nke a dị ka o zuru ezu iji nyochaa ka proxy si ejikwa okporo ụzọ. 

Anyị mekwara nnwale ibu tupu ejiri ya. Nsonaazụ n'okpuru:

wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.77s     1.21s    7.20s    65.43%
    Req/Sec    13.78      8.84   140.00     83.70%
  206357 requests in 6.00m, 6.08GB read
Requests/sec:    573.07
Transfer/sec:     17.28MB 

Anyị mere nnwale ibu dị oke ọnụ iji tụnyere atụmatụ ahụ site na iji ESNI reverse proxy na enweghị. Anyị 'wụsara' okporo ụzọ na mpaghara iji kpochapụ "nnyonye anya" na mpaghara etiti.

Yabụ, site na nkwado ESNI na proxying na-ebugo site na HTTP, anyị nwetara ihe dịka ~ 550 rps site na otu ihe atụ, yana nkezi CPU/RAM oriri nke ESNI reverse proxy:

  • Ojiji CPU 80% (4 vCPU, 4 GB RAM ndị ọbịa, Linux)
  • 130 MB Mem RSS

Otu esi echekwa webụsaịtị ọha gị na ESNI

Maka ntụnyere, RPS maka otu nginx elu na-enweghị nkwụsị TLS (HTTP protocol) bụ ~ 1100:

wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.11s     2.30s   15.00s    90.94%
    Req/Sec    23.25     13.55   282.00     79.25%
  393093 requests in 6.00m, 11.35GB read
  Socket errors: connect 0, read 0, write 0, timeout 9555
  Non-2xx or 3xx responses: 8111
Requests/sec:   1091.62
Transfer/sec:     32.27MB 

Ọnụnọ nke oge nkwụsị na-egosi na enweghị akụrụngwa (anyị jiri vCPU 4, ndị na-akwado RAM 4 GB, Linux), na n'eziokwu, RPS nwere ike ịdị elu (anyị natara ọnụọgụgụ ruru 2700 RPS na akụrụngwa dị ike karịa).

N'ikpeazụ, m na-achọpụta na teknụzụ ESNI yiri ihe na-ekwe nkwa. A ka nwere ọtụtụ ajụjụ mepere emepe, dịka ọmụmaatụ, okwu gbasara ịchekwa igodo ESNI ọha na DNS na igodo ESNI na-atụgharị - a na-atụle okwu ndị a nke ọma, na ụdị ESNI kachasị ọhụrụ (n'oge ederede) adịlarị. 7.

isi: www.habr.com

Zụta nnabata ntụkwasị obi maka saịtị nwere nchekwa DDoS, sava VPS VDS 🔥 Zụta ebe nrụọrụ weebụ a pụrụ ịtụkwasị obi na nchekwa DDoS, sava VPS VDS | ProHoster