Ndewo Habr, aha m bụ Ilya, m na-arụ ọrụ na otu ikpo okwu na Exness. Anyị na-etolite ma mejuputa akụrụngwa akụrụngwa nke otu mmepe ngwaahịa anyị na-eji.
N'ime edemede a, ọ ga-amasị m ịkekọrịta ahụmịhe m nke itinye teknụzụ SNI (ESNI) ezoro ezo na akụrụngwa nke weebụsaịtị ọha.

Ojiji nke teknụzụ a ga-eme ka ọkwa nchekwa dịkwuo elu mgbe ị na-arụ ọrụ na ebe nrụọrụ weebụ ọha ma na-agbaso ụkpụrụ nchekwa nke ime ụlọ nke Ụlọ ọrụ ahụ kwadoro.
Nke mbụ, ọ ga-amasị m ịkọwapụta na teknụzụ anaghị ahazi ya ma ka nọ na nhazi ahụ, mana CloudFlare na Mozilla kwadoro ya (na. ). Nke a kpaliri anyị maka nnwale dị otú ahụ.
A bit nke tiori
ESNI bụ ndọtị na protocol TLS 1.3 nke na-enye ohere izo ya ezo SNI na ozi aka aka TLS "Client Hello". Nke a bụ ihe Client Hello dị ka site na nkwado ESNI (kama SNI na-emebu anyị na-ahụ ESNI):

Iji jiri ESNI, ị ga-achọ ihe atọ:
- DNS;
- Nkwado ndị ahịa;
- Nkwado akụkụ nkesa.
DNS
Ịkwesịrị ịgbakwunye ndekọ DNS abụọ - Ana TXT (Ihe ndekọ TXT nwere igodo ọha nke onye ahịa nwere ike iji zoo SNI) - lee n'okpuru. Na mgbakwunye, a ga-enwerịrị nkwado DoH (DNS n'elu HTTPS) n'ihi na ndị ahịa dị (lee n'okpuru) anaghị eme nkwado ESNI na-enweghị DoH. Nke a bụ ihe ezi uche dị na ya, ebe ESNI na-egosi izo ya ezo nke aha akụrụngwa anyị na-enweta, ya bụ, ọ baghị uru ịnweta DNS n'elu UDP. Ọzọkwa, ojiji na-enye gị ohere ichebe megide mwakpo nsi nke cache na ọnọdụ a.
Dị ugbu a , n'etiti ha:
Igwe ojii (Lelee ihe nchọgharị m → Encrypted SNI → Mụtakwuo) na sava ha na-akwado ESNI, ya bụ, maka sava CloudFlare na DNS anyị nwere opekata mpe ndekọ abụọ - A na TXT. N'ihe atụ dị n'okpuru, anyị na-ajụ Google DNS (n'elu HTTPS):
А ntinye:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT ndekọ, arịrịọ na-eme ka a template si dị _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Yabụ, site na echiche DNS, anyị kwesịrị iji DoH (ọkacha mma na DNSSEC) wee tinye ndenye abụọ.
Nkwado ndị ahịa
Ọ bụrụ na anyị na-ekwu maka ihe nchọgharị, mgbe ahụ n'oge ahụ . Nke a bụ ntuziaka maka otu esi eme ka nkwado ESNI na DoH rụọ ọrụ na FireFox. Mgbe emechara ihe nchọgharị ahụ, anyị kwesịrị ịhụ ihe dị ka nke a:

ka ịlele ihe nchọgharị ahụ.
N'ezie, TLS 1.3 ga-eji kwado ESNI, ebe ESNI bụ ndọtị na TLS 1.3.
Maka ebumnuche iji nkwado ESNI nwalee azụ azụ, anyị mebere onye ahịa ahụ go, Ma ọzọ na nke ahụ mechara.
Nkwado akụkụ nkesa
Ugbu a, ESNI anaghị akwado sava weebụ dị ka nginx/apache, wdg, ebe ha na TLS na-arụ ọrụ site na OpenSSL/BoringSSL, nke na-adịghị akwado ESNI n'ihu ọha.
Ya mere, anyị kpebiri ịmepụta akụkụ nke njedebe nke anyị (ESNI reverse proxy), nke ga-akwado nkwụsị TLS 1.3 na ESNI na proxy HTTP(S) okporo ụzọ gaa n'elu, nke na-adịghị akwado ESNI. Nke a na-enye ohere iji teknụzụ mee ihe na akụrụngwa dị adị, na-agbanweghị ihe ndị bụ isi - ya bụ, iji sava weebụ ugbu a na-akwadoghị ESNI.
Maka idoanya, ebe a bụ eserese:

Achọpụtara m na e mere proxy ahụ na ikike ịkwụsị njikọ TLS na-enweghị ESNI, iji kwado ndị ahịa na-enweghị ESNI. Ọzọkwa, usoro nkwukọrịta nwere ike ịbụ HTTP ma ọ bụ HTTPS nwere ụdị TLS dị ala karịa 1.3 (ọ bụrụ na elu anaghị akwado 1.3). Atụmatụ a na-enye mgbanwe kachasị.
Mmejuputa nkwado ESNI na go anyị gbaziri si . Ọ ga-amasị m ịmara ozugbo na mmejuputa ya n'onwe ya abụghị ihe na-adịghị mkpa, ebe ọ gụnyere mgbanwe na ọba akwụkwọ ọkọlọtọ. crypto/tls ya mere ọ chọrọ "patching" GOROOT tupu mgbakọ.
Iji mepụta igodo ESNI anyị ji (bụkwa ụbụrụ CloudFlare). A na-eji igodo ndị a maka izo ya ezo/decryption SNI.
Anyị nwalere ihe owuwu ahụ site na iji go 1.13 na Linux (Debian, Alpine) na MacOS.
Okwu ole na ole gbasara njirimara arụ ọrụ
ESNI reverse proxy na-enye metrics n'ụdị Prometheus, dị ka rps, mgbake elu & koodu nzaghachi, aka aka TLS dara/ gara nke ọma na oge aka aka TLS. Na ilele mbụ, nke a dị ka o zuru ezu iji nyochaa ka proxy si ejikwa okporo ụzọ.
Anyị mekwara nnwale ibu tupu ejiri ya. Nsonaazụ n'okpuru:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Anyị mere nnwale ibu dị oke ọnụ iji tụnyere atụmatụ ahụ site na iji ESNI reverse proxy na enweghị. Anyị 'wụsara' okporo ụzọ na mpaghara iji kpochapụ "nnyonye anya" na mpaghara etiti.
Yabụ, site na nkwado ESNI na proxying na-ebugo site na HTTP, anyị nwetara ihe dịka ~ 550 rps site na otu ihe atụ, yana nkezi CPU/RAM oriri nke ESNI reverse proxy:
- Ojiji CPU 80% (4 vCPU, 4 GB RAM ndị ọbịa, Linux)
- 130 MB Mem RSS

Maka ntụnyere, RPS maka otu nginx elu na-enweghị nkwụsị TLS (HTTP protocol) bụ ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Ọnụnọ nke oge nkwụsị na-egosi na enweghị akụrụngwa (anyị jiri vCPU 4, ndị na-akwado RAM 4 GB, Linux), na n'eziokwu, RPS nwere ike ịdị elu (anyị natara ọnụọgụgụ ruru 2700 RPS na akụrụngwa dị ike karịa).
N'ikpeazụ, m na-achọpụta na teknụzụ ESNI yiri ihe na-ekwe nkwa. A ka nwere ọtụtụ ajụjụ mepere emepe, dịka ọmụmaatụ, okwu gbasara ịchekwa igodo ESNI ọha na DNS na igodo ESNI na-atụgharị - a na-atụle okwu ndị a nke ọma, na ụdị ESNI kachasị ọhụrụ (n'oge ederede) adịlarị. .
isi: www.habr.com
