Kia ora Habr, ko Ilya toku ingoa, kei te mahi ahau i te roopu papaahi i Exness. Ka whakawhanakehia, ka whakatinanahia e matou nga waahanga hanganga matua e whakamahia ana e o taatau roopu whanaketanga hua.
I roto i tenei tuhinga, ka hiahia ahau ki te whakapuaki i taku wheako ki te whakatinana i te hangarau SNI (ESNI) whakamunatia i roto i nga hanganga o nga paetukutuku a te iwi.

Ma te whakamahi i tenei hangarau ka piki ake te taumata o te haumarutanga i te wa e mahi tahi ana me te paetukutuku whanui me te whai i nga paerewa haumarutanga o roto i tangohia e te Kamupene.
Tuatahi, e hiahia ana ahau ki te tohu ko te hangarau kaore i te paerewa, kei roto tonu i te tauira, engari kua tautokohia e CloudFlare me Mozilla (i roto ). Na tenei i whakahihiri i a matou mo taua whakamatautau.
He ahua o te ariā
ESNI he toronga ki te kawa TLS 1.3 e taea ai te whakamunatanga SNI i roto i te karere a-ringa "Kiitaki Kia Ora". Anei te ahua o te Kiritaki Hello me te tautoko ESNI (hei utu mo te SNI o mua ka kite tatou i te ESNI):

Hei whakamahi i te ESNI, me toru nga waahanga:
- DNS;
- Tautoko kiritaki;
- Tautoko taha tūmau.
DNS
Me taapiri e koe nga rekoata DNS e rua - Aa TXT (Kei roto i te rekoata TXT te kī tūmatanui e taea ai e te kiritaki te whakamuna SNI) - tirohia i raro nei. I tua atu, me whai tautoko MahiH (DNS i runga i te HTTPS) na te mea kaore nga kaihoko e waatea ana (tirohia ki raro) kaore e taea te tautoko ESNI me te kore DoH. He arorau tenei, na te mea e kii ana a ESNI ki te whakamunatanga o te ingoa o te rauemi e uru ana matou, ara, kaore he tikanga ki te uru ki te DNS mo te UDP. Ano, te whakamahi ka taea e koe te tiaki i nga whakaeke paihana keteroki i tenei ahuatanga.
Kei te waatea inaianei , i roto ia ratou:
Cloudflare (Tirohia Taku Pūtirotiro → SNI Whakamuna → Ako Anō) kei te tautoko kē o ratou tūmau i te ESNI, ara, mo nga tūmau CloudFlare i roto i te DNS kei a matou e rua nga rekoata - A me TXT. I te tauira i raro nei ka patai matou ki a Google DNS (i runga i te HTTPS):
А urunga:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT rekoata, ka hangaia te tono kia rite ki te tauira _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Na, mai i te tirohanga DNS, me whakamahi tatou i te DoH (he pai ake me DNSSEC) me te taapiri kia rua nga urunga.
Tautoko Kiritaki
Mena kei te korero tatou mo nga kaitirotiro, na i tenei wa . Anei nga tohutohu me pehea te whakahohe i te tautoko ESNI me DoH i FireFox. I muri i te whirihora o te kaitirotiro, me kite tatou i tetahi mea penei:

ki te tirotiro i te kaitirotiro.
Ko te tikanga, me whakamahi TLS 1.3 hei tautoko i te ESNI, i te mea he toronga te ESNI ki TLS 1.3.
Mo te kaupapa o te whakamatautau i te tuara me te tautoko ESNI, i whakatinanahia e matou te kaihoko go, Engari he nui ake mo tera i muri mai.
Tautoko taha tūmau
I tenei wa, kaore te ESNI i te tautokohia e nga kaiwhakarato paetukutuku penei i te nginx/apache, me etahi atu, na te mea ka mahi tahi ratou me TLS ma te OpenSSL/BoringSSL, kaore i te tautoko mana i te ESNI.
Na reira, i whakatau matou ki te hanga i a maatau ake waahanga-mua (ESNI whakamuri takawaenga), e tautoko ana i te whakamutua o TLS 1.3 me te ESNI me te takawaenga HTTP(S) waka ki te awa whakarunga, kaore i te tautoko i te ESNI. Ma tenei ka taea te whakamahi i te hangarau ki roto i nga hanganga o mua, me te kore e whakarereke i nga waahanga matua - ara, ma te whakamahi i nga kaiwhakarato paetukutuku o naianei kaore i te tautoko i te ESNI.
Mo te whakamarama, he hoahoa tenei:

Ka kite ahau i hangaia te takawaenga me te kaha ki te whakamutu i te hononga TLS me te kore ESNI, ki te tautoko i nga kaihoko kaore he ESNI. Ano, ko te kawa korero ki te taha whakarunga ka taea te HTTP, te HTTPS ranei me te putanga TLS iti iho i te 1.3 (mehemea kaore e tautokohia e te awa whakarunga te 1.3). Ko tenei kaupapa e whakarato ana i te tino ngawari.
Te whakatinanatanga o te tautoko ESNI i runga go tarewa matou i . Kei te pirangi au ki te mahara tonu ko te whakatinanatanga ake he tino kore noa, na te mea he whakarereketanga kei roto i te whare pukapuka paerewa. crypto/tls no reira me "whakapapa" GOROOT i mua i te huihuinga.
Hei whakaputa i nga taviri ESNI i whakamahia e matou (he whakaaro ano hoki o CloudFlare). Ka whakamahia enei ki mo te whakamunatanga / wetemuna SNI.
I whakamatauria e mātou te hanganga mā te whakamahi i te putanga 1.13 Linux (Debian, Alpine) me MacOS.
He kupu torutoru mo nga ahuatanga whakahaere
Ko te takawaenga whakamuri a ESNI e whakarato ana i nga inenga i roto i te whakatakotoranga Prometheus, penei i te rps, te toronga o runga me nga waehere whakautu, te rahua/angitu nga ruuru a TLS me te roanga ruru a TLS. I te titiro tuatahi, he pai tenei ki te arotake me pehea te whakahaere a te takawaenga i nga waka.
I mahia ano e matou he whakamatautau kawenga i mua i te whakamahi. Hua kei raro:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
I mahia e matou he whakamatautau uta tika ki te whakataurite i te kaupapa ma te whakamahi i te takawaenga whakamuri ESNI me te kore. "I ringihia" e matou nga waka ki te rohe kia kore ai e "whakararuraru" i nga waahanga takawaenga.
Na, me te tautoko a te ESNI me te takawaenga ki te taha whakarunga mai i te HTTP, ka tata ki te ~ 550 rps mai i te waa kotahi, me te toharite kohi CPU/RAM o te takawaenga whakamuri ESNI:
- 80% Te Whakamahinga CPU (4 vCPU, 4 GB RAM kaihautū, Linux)
- 130 MB Mem RSS

Hei whakataurite, ko te RPS mo te nginx ano ki runga i te awa kaore he whakamutu TLS (HTTP protocol) ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Ko te kitea o ngā wā mutu e tohu ana he korenga o ngā rauemi (i whakamahia e mātou he 4 vCPU, he 4 GB RAM manaaki, Linux), ā, he teitei ake te RPS pea (i tae mai ngā tatauranga ki te 2700 RPS mō ngā rauemi kaha ake).
Hei whakamutunga, ka kite ahau he tino pai te ahua o te hangarau ESNI. He maha tonu nga patai e tuwhera ana, hei tauira, ko nga take mo te penapena i te taviri ESNI tūmatanui i roto i te DNS me te huri i nga taviri ESNI - kei te kaha te korero mo enei take, a ko te putanga hou o te tauira ESNI (i te wa e tuhi ana) .
Source: will.com
