Kia ora Habr, ko Ilya toku ingoa, kei te mahi ahau i te roopu papaahi i Exness. Ka whakawhanakehia, ka whakatinanahia e matou nga waahanga hanganga matua e whakamahia ana e o taatau roopu whanaketanga hua.
I roto i tenei tuhinga, ka hiahia ahau ki te whakapuaki i taku wheako ki te whakatinana i te hangarau SNI (ESNI) whakamunatia i roto i nga hanganga o nga paetukutuku a te iwi.
Ma te whakamahi i tenei hangarau ka piki ake te taumata o te haumarutanga i te wa e mahi tahi ana me te paetukutuku whanui me te whai i nga paerewa haumarutanga o roto i tangohia e te Kamupene.
Tuatahi, e hiahia ana ahau ki te tohu ko te hangarau kaore i te paerewa, kei roto tonu i te tauira, engari kua tautokohia e CloudFlare me Mozilla (i roto ). Na tenei i whakahihiri i a matou mo taua whakamatautau.
He ahua o te ariā
ESNI he toronga ki te kawa TLS 1.3 e taea ai te whakamunatanga SNI i roto i te karere a-ringa "Kiitaki Kia Ora". Anei te ahua o te Kiritaki Hello me te tautoko ESNI (hei utu mo te SNI o mua ka kite tatou i te ESNI):
Hei whakamahi i te ESNI, me toru nga waahanga:
- DNS;
- Tautoko kiritaki;
- Tautoko taha tūmau.
DNS
Me taapiri e koe nga rekoata DNS e rua - Aa TXT (Kei roto i te rekoata TXT te kī tūmatanui e taea ai e te kiritaki te whakamuna SNI) - tirohia i raro nei. I tua atu, me whai tautoko MahiH (DNS i runga i te HTTPS) na te mea kaore nga kaihoko e waatea ana (tirohia ki raro) kaore e taea te tautoko ESNI me te kore DoH. He arorau tenei, na te mea e kii ana a ESNI ki te whakamunatanga o te ingoa o te rauemi e uru ana matou, ara, kaore he tikanga ki te uru ki te DNS mo te UDP. Ano, te whakamahi ka taea e koe te tiaki i nga whakaeke paihana keteroki i tenei ahuatanga.
Kei te waatea inaianei , i roto ia ratou:
Cloudflare (Tirohia Taku Pūtirotiro → SNI Whakamuna → Ako Anō) kei te tautoko kē o ratou tūmau i te ESNI, ara, mo nga tūmau CloudFlare i roto i te DNS kei a matou e rua nga rekoata - A me TXT. I te tauira i raro nei ka patai matou ki a Google DNS (i runga i te HTTPS):
А urunga:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT rekoata, ka hangaia te tono kia rite ki te tauira _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}Na, mai i te tirohanga DNS, me whakamahi tatou i te DoH (he pai ake me DNSSEC) me te taapiri kia rua nga urunga.
Tautoko Kiritaki
Mena kei te korero tatou mo nga kaitirotiro, na i tenei wa . Anei nga tohutohu me pehea te whakahohe i te tautoko ESNI me DoH i FireFox. I muri i te whirihora o te kaitirotiro, me kite tatou i tetahi mea penei:
ki te tirotiro i te kaitirotiro.
Ko te tikanga, me whakamahi TLS 1.3 hei tautoko i te ESNI, i te mea he toronga te ESNI ki TLS 1.3.
Mo te kaupapa o te whakamatautau i te tuara me te tautoko ESNI, i whakatinanahia e matou te kaihoko go, Engari he nui ake mo tera i muri mai.
Tautoko taha tūmau
I tenei wa, kaore te ESNI i te tautokohia e nga kaiwhakarato paetukutuku penei i te nginx/apache, me etahi atu, na te mea ka mahi tahi ratou me TLS ma te OpenSSL/BoringSSL, kaore i te tautoko mana i te ESNI.
Na reira, i whakatau matou ki te hanga i a maatau ake waahanga-mua (ESNI whakamuri takawaenga), e tautoko ana i te whakamutua o TLS 1.3 me te ESNI me te takawaenga HTTP(S) waka ki te awa whakarunga, kaore i te tautoko i te ESNI. Ma tenei ka taea te whakamahi i te hangarau ki roto i nga hanganga o mua, me te kore e whakarereke i nga waahanga matua - ara, ma te whakamahi i nga kaiwhakarato paetukutuku o naianei kaore i te tautoko i te ESNI.
Mo te whakamarama, he hoahoa tenei:
Ka kite ahau i hangaia te takawaenga me te kaha ki te whakamutu i te hononga TLS me te kore ESNI, ki te tautoko i nga kaihoko kaore he ESNI. Ano, ko te kawa korero ki te taha whakarunga ka taea te HTTP, te HTTPS ranei me te putanga TLS iti iho i te 1.3 (mehemea kaore e tautokohia e te awa whakarunga te 1.3). Ko tenei kaupapa e whakarato ana i te tino ngawari.
Te whakatinanatanga o te tautoko ESNI i runga go tarewa matou i . Kei te pirangi au ki te mahara tonu ko te whakatinanatanga ake he tino kore noa, na te mea he whakarereketanga kei roto i te whare pukapuka paerewa. crypto/tls no reira me "whakapapa" GOROOT i mua i te huihuinga.
Hei whakaputa i nga taviri ESNI i whakamahia e matou (he whakaaro ano hoki o CloudFlare). Ka whakamahia enei ki mo te whakamunatanga / wetemuna SNI.
I whakamatauria e matou te hanga ma te whakamahi i te go 1.13 i runga i te Linux (Debian, Alpine) me te MacOS.
He kupu torutoru mo nga ahuatanga whakahaere
Ko te takawaenga whakamuri a ESNI e whakarato ana i nga inenga i roto i te whakatakotoranga Prometheus, penei i te rps, te toronga o runga me nga waehere whakautu, te rahua/angitu nga ruuru a TLS me te roanga ruru a TLS. I te titiro tuatahi, he pai tenei ki te arotake me pehea te whakahaere a te takawaenga i nga waka.
I mahia ano e matou he whakamatautau kawenga i mua i te whakamahi. Hua kei raro:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB I mahia e matou he whakamatautau uta tika ki te whakataurite i te kaupapa ma te whakamahi i te takawaenga whakamuri ESNI me te kore. "I ringihia" e matou nga waka ki te rohe kia kore ai e "whakararuraru" i nga waahanga takawaenga.
Na, me te tautoko a te ESNI me te takawaenga ki te taha whakarunga mai i te HTTP, ka tata ki te ~ 550 rps mai i te waa kotahi, me te toharite kohi CPU/RAM o te takawaenga whakamuri ESNI:
- 80% Te Whakamahi CPU (4 vCPU, 4 GB RAM kaihautu, Linux)
- 130 MB Mem RSS
Hei whakataurite, ko te RPS mo te nginx ano ki runga i te awa kaore he whakamutu TLS (HTTP protocol) ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB Ko te waahi o nga waahi e tohu ana he kore rawa nga rauemi (i whakamahia e matou nga 4 vCPUs, 4 GB RAM nga ope, Linux), me te mea he nui ake te RPS pea (i riro mai i a maatau nga tatauranga ki runga ki te 2700 RPS mo nga rauemi kaha ake).
Hei whakamutunga, ka kite ahau he tino pai te ahua o te hangarau ESNI. He maha tonu nga patai e tuwhera ana, hei tauira, ko nga take mo te penapena i te taviri ESNI tūmatanui i roto i te DNS me te huri i nga taviri ESNI - kei te kaha te korero mo enei take, a ko te putanga hou o te tauira ESNI (i te wa e tuhi ana) .
Source: will.com
