Me pehea te tiaki i to paetukutuku whanui me te ESNI

Kia ora Habr, ko Ilya toku ingoa, kei te mahi ahau i te roopu papaahi i Exness. Ka whakawhanakehia, ka whakatinanahia e matou nga waahanga hanganga matua e whakamahia ana e o taatau roopu whanaketanga hua.

I roto i tenei tuhinga, ka hiahia ahau ki te whakapuaki i taku wheako ki te whakatinana i te hangarau SNI (ESNI) whakamunatia i roto i nga hanganga o nga paetukutuku a te iwi.

Me pehea te tiaki i to paetukutuku whanui me te ESNI

Ma te whakamahi i tenei hangarau ka piki ake te taumata o te haumarutanga i te wa e mahi tahi ana me te paetukutuku whanui me te whai i nga paerewa haumarutanga o roto i tangohia e te Kamupene.

Tuatahi, e hiahia ana ahau ki te tohu ko te hangarau kaore i te paerewa, kei roto tonu i te tauira, engari kua tautokohia e CloudFlare me Mozilla (i roto tauira01). Na tenei i whakahihiri i a matou mo taua whakamatautau.

He ahua o te ariā

ESNI he toronga ki te kawa TLS 1.3 e taea ai te whakamunatanga SNI i roto i te karere a-ringa "Kiitaki Kia Ora". Anei te ahua o te Kiritaki Hello me te tautoko ESNI (hei utu mo te SNI o mua ka kite tatou i te ESNI):

Me pehea te tiaki i to paetukutuku whanui me te ESNI

 Hei whakamahi i te ESNI, me toru nga waahanga:

  • DNS; 
  • Tautoko kiritaki;
  • Tautoko taha tūmau.

DNS

Me taapiri e koe nga rekoata DNS e rua - Aa TXT (Kei roto i te rekoata TXT te kī tūmatanui e taea ai e te kiritaki te whakamuna SNI) - tirohia i raro nei. I tua atu, me whai tautoko MahiH (DNS i runga i te HTTPS) na te mea kaore nga kaihoko e waatea ana (tirohia ki raro) kaore e taea te tautoko ESNI me te kore DoH. He arorau tenei, na te mea e kii ana a ESNI ki te whakamunatanga o te ingoa o te rauemi e uru ana matou, ara, kaore he tikanga ki te uru ki te DNS mo te UDP. Ano, te whakamahi DNSSEC ka taea e koe te tiaki i nga whakaeke paihana keteroki i tenei ahuatanga.

Kei te waatea inaianei he maha nga kaiwhakarato DoH, i roto ia ratou:

Cloudflare puaki (Tirohia Taku Pūtirotiro → SNI Whakamuna → Ako Anō) kei te tautoko kē o ratou tūmau i te ESNI, ara, mo nga tūmau CloudFlare i roto i te DNS kei a matou e rua nga rekoata - A me TXT. I te tauira i raro nei ka patai matou ki a Google DNS (i runga i te HTTPS): 

А urunga:

curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "www.cloudflare.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.210.9"
    },
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.209.9"
    }
  ]
}

TXT rekoata, ka hangaia te tono kia rite ki te tauira _esni.FQDN:

curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16
    }
  ],
  "Answer": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16,
    "TTL": 1799,
    "data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
    }
  ],
  "Comment": "Response from 2400:cb00:2049:1::a29f:209."
}

Na, mai i te tirohanga DNS, me whakamahi tatou i te DoH (he pai ake me DNSSEC) me te taapiri kia rua nga urunga. 

Tautoko Kiritaki

Mena kei te korero tatou mo nga kaitirotiro, na i tenei wa Ka whakatinanahia te tautoko ki FireFox anake. ko te reira Anei nga tohutohu me pehea te whakahohe i te tautoko ESNI me DoH i FireFox. I muri i te whirihora o te kaitirotiro, me kite tatou i tetahi mea penei:

Me pehea te tiaki i to paetukutuku whanui me te ESNI

hono ki te tirotiro i te kaitirotiro.

Ko te tikanga, me whakamahi TLS 1.3 hei tautoko i te ESNI, i te mea he toronga te ESNI ki TLS 1.3.

Mo te kaupapa o te whakamatautau i te tuara me te tautoko ESNI, i whakatinanahia e matou te kaihoko go, Engari he nui ake mo tera i muri mai.

Tautoko taha tūmau

I tenei wa, kaore te ESNI i te tautokohia e nga kaiwhakarato paetukutuku penei i te nginx/apache, me etahi atu, na te mea ka mahi tahi ratou me TLS ma te OpenSSL/BoringSSL, kaore i te tautoko mana i te ESNI.

Na reira, i whakatau matou ki te hanga i a maatau ake waahanga-mua (ESNI whakamuri takawaenga), e tautoko ana i te whakamutua o TLS 1.3 me te ESNI me te takawaenga HTTP(S) waka ki te awa whakarunga, kaore i te tautoko i te ESNI. Ma tenei ka taea te whakamahi i te hangarau ki roto i nga hanganga o mua, me te kore e whakarereke i nga waahanga matua - ara, ma te whakamahi i nga kaiwhakarato paetukutuku o naianei kaore i te tautoko i te ESNI. 

Mo te whakamarama, he hoahoa tenei:

Me pehea te tiaki i to paetukutuku whanui me te ESNI

Ka kite ahau i hangaia te takawaenga me te kaha ki te whakamutu i te hononga TLS me te kore ESNI, ki te tautoko i nga kaihoko kaore he ESNI. Ano, ko te kawa korero ki te taha whakarunga ka taea te HTTP, te HTTPS ranei me te putanga TLS iti iho i te 1.3 (mehemea kaore e tautokohia e te awa whakarunga te 1.3). Ko tenei kaupapa e whakarato ana i te tino ngawari.

Te whakatinanatanga o te tautoko ESNI i runga go tarewa matou i Cloudflare. Kei te pirangi au ki te mahara tonu ko te whakatinanatanga ake he tino kore noa, na te mea he whakarereketanga kei roto i te whare pukapuka paerewa. crypto/tls no reira me "whakapapa" GOROOT i mua i te huihuinga.

Hei whakaputa i nga taviri ESNI i whakamahia e matou taputapu (he whakaaro ano hoki o CloudFlare). Ka whakamahia enei ki mo te whakamunatanga / wetemuna SNI.
I whakamatauria e mātou te hanganga mā te whakamahi i te putanga 1.13 Linux (Debian, Alpine) me MacOS. 

He kupu torutoru mo nga ahuatanga whakahaere

Ko te takawaenga whakamuri a ESNI e whakarato ana i nga inenga i roto i te whakatakotoranga Prometheus, penei i te rps, te toronga o runga me nga waehere whakautu, te rahua/angitu nga ruuru a TLS me te roanga ruru a TLS. I te titiro tuatahi, he pai tenei ki te arotake me pehea te whakahaere a te takawaenga i nga waka. 

I mahia ano e matou he whakamatautau kawenga i mua i te whakamahi. Hua kei raro:

wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.77s     1.21s    7.20s    65.43%
    Req/Sec    13.78      8.84   140.00     83.70%
  206357 requests in 6.00m, 6.08GB read
Requests/sec:    573.07
Transfer/sec:     17.28MB 

I mahia e matou he whakamatautau uta tika ki te whakataurite i te kaupapa ma te whakamahi i te takawaenga whakamuri ESNI me te kore. "I ringihia" e matou nga waka ki te rohe kia kore ai e "whakararuraru" i nga waahanga takawaenga.

Na, me te tautoko a te ESNI me te takawaenga ki te taha whakarunga mai i te HTTP, ka tata ki te ~ 550 rps mai i te waa kotahi, me te toharite kohi CPU/RAM o te takawaenga whakamuri ESNI:

  • 80% Te Whakamahinga CPU (4 vCPU, 4 GB RAM kaihautū, Linux)
  • 130 MB Mem RSS

Me pehea te tiaki i to paetukutuku whanui me te ESNI

Hei whakataurite, ko te RPS mo te nginx ano ki runga i te awa kaore he whakamutu TLS (HTTP protocol) ~ 1100:

wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.11s     2.30s   15.00s    90.94%
    Req/Sec    23.25     13.55   282.00     79.25%
  393093 requests in 6.00m, 11.35GB read
  Socket errors: connect 0, read 0, write 0, timeout 9555
  Non-2xx or 3xx responses: 8111
Requests/sec:   1091.62
Transfer/sec:     32.27MB 

Ko te kitea o ngā wā mutu e tohu ana he korenga o ngā rauemi (i whakamahia e mātou he 4 vCPU, he 4 GB RAM manaaki, Linux), ā, he teitei ake te RPS pea (i tae mai ngā tatauranga ki te 2700 RPS mō ngā rauemi kaha ake).

Hei whakamutunga, ka kite ahau he tino pai te ahua o te hangarau ESNI. He maha tonu nga patai e tuwhera ana, hei tauira, ko nga take mo te penapena i te taviri ESNI tūmatanui i roto i te DNS me te huri i nga taviri ESNI - kei te kaha te korero mo enei take, a ko te putanga hou o te tauira ESNI (i te wa e tuhi ana) 7.

Source: will.com

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster