Momwe tidadutsira pa Great Firewall of China (Gawo 3)

Привет!
Nkhani zabwino zonse zimatha. Ndipo nkhani yathu ya momwe tidapezera yankho kuti tidutse mwachangu Firewall yaku China sizili choncho. Chifukwa chake ndikufulumira kugawana nanu yomaliza, gawo lomaliza pa mutu uwu.

Mu gawo lapitalo tidakambirana za mabenchi ambiri oyeserera omwe tidabwera nawo komanso zomwe adapereka. Ndipo tinakhazikika pazomwe zingakhale zabwino kuwonjezera CDN! kwa mamasukidwe akayendedwe mu dongosolo lathu.

Ndikuuzani momwe tidayesera Alibaba Cloud CDN, Tencent Cloud CDN ndi Akamai, ndi zomwe tidamaliza nazo. Ndipo ndithudi, tiyeni tifotokoze mwachidule.

Alibaba Cloud CDN

Timakhala ndi Alibaba Cloud ndikugwiritsa ntchito IPSEC ndi CEN kuchokera kwa iwo. Zingakhale zomveka kuyesa njira zawo kaye.

Alibaba Cloud ili ndi mitundu iwiri yazinthu zomwe zingatigwirizane ndi ife: CDN и Zithunzi za DCDN. Njira yoyamba ndi CDN yachikale yamtundu wina (subdomain). Njira yachiwiri ikuyimira Njira Yamphamvu ya CDN (Ndimayitcha dynamic CDN), imatha kuthandizidwa mu Full-site mode (kwa madambwe a wildcard), imasunganso zomwe zili zokhazikika ndikufulumizitsa zomwe zili pawokha, ndiye kuti, mawonekedwe atsambawo adzatsitsidwanso kudzera mwa omwe amapereka. ma network othamanga. Izi ndi zofunika kwa ife, chifukwa kwenikweni malo athu ndi amphamvu, amagwiritsa ntchito ma subdomains ambiri, ndipo ndizosavuta kukhazikitsa CDN kamodzi kwa "asterisk" - * .semrushchina.cn.

Tidawona kale mankhwalawa m'magawo oyambilira a polojekiti yathu yaku China, koma sizinali kugwira ntchito, ndipo opanga adalonjeza kuti mankhwalawa apezeka kwa makasitomala onse. Ndipo anatero.

Mu DCDN mutha:

• sinthani kuyimitsa kwa SSL ndi satifiketi yanu,
• yambitsani kufulumizitsa kwa zinthu zamphamvu,
• sinthani mosavuta caching of static files,
• yeretsani cache,
• perekani zoyambira pa intaneti,
• yambitsani kuponderezana komanso HTML Beautifier.

Kawirikawiri, chirichonse chiri chofanana ndi akuluakulu ndi opereka ma CDN akuluakulu.

Pambuyo pa Origin (malo omwe ma seva am'mphepete mwa CDN adzapita) afotokozedwa, chomwe chatsalira ndikupanga CNAME ya nyenyezi, kufotokozera. all.semrushchina.cn.w.kunluncan.com (CNAME iyi idalandiridwa mu Alibaba Cloud console) ndipo CDN igwira ntchito.

Kutengera zotsatira za mayeso, CDN iyi idatithandiza kwambiri. Ziwerengero zikuwonetsedwa pansipa.

chisankho
Uptime
Zamkatikati
75 peresenti
95 peresenti

Cloudflare
86.6
18
30
60

IPsec
99.79
18
21
30

CEN
99.75
16
21
27

CEN/IPsec + GLB
99.79
13
16
25

Ali CDN + CEN/IPsec + GLB
99.75
10
12.8
17.3

Izi ndi zotsatira zabwino kwambiri, makamaka ngati mukuziyerekeza ndi zomwe manambala anali poyamba. Koma tinkadziwa kuti kuyesa kwa msakatuli wa mtundu waku America wa tsamba lathu la webusayiti www.semrush.com amachokera ku USA pa avareji ya 8.3s (mtengo woyerekeza kwambiri). Pali malo oti muwongolere. Kuphatikiza apo, panalinso opereka ma CDN omwe anali osangalatsa kuyesa.

Chifukwa chake timapitilira kupita ku chimphona china pamsika waku China - Tencent.

Tencent Mtambo

Tencent akungopanga mtambo wake - izi zitha kuwoneka kuchokera kuzinthu zochepa. Pomwe tikugwiritsa ntchito, sitinkafuna kuyesa CDN yawo yokha, komanso ma network awo onse:

• ali ndi zofanana ndi CEN?
• Kodi IPSEC imagwira ntchito bwanji kwa iwo? Kodi ndichangu, nthawi yake ndi yotani?
• ali ndi Anycast?

Tiyeni tione mafunso amenewa mosiyana.

Analogue CEN

Tencent ali ndi mankhwala Cloud Connect Network (CCN), kukulolani kuti mugwirizane ndi ma VPC ochokera kumadera osiyanasiyana, kuphatikizapo madera mkati ndi kunja kwa China. Zogulitsazo tsopano zili mu beta yamkati, ndipo muyenera kupanga tikiti yopempha kuti mulumikizane nazo. Tidaphunzira kuchokera ku kuthandizira kuti maakaunti apadziko lonse lapansi (sitikulankhula za nzika zaku China kapena mabungwe ovomerezeka) sangathe kutenga nawo gawo pa pulogalamu yoyesa beta ndipo, makamaka, amalumikiza chigawo mkati mwa China ndi dera lakunja. 1-0 mokomera Ali Cloud

Mtengo wa IPSEC

Dera lakumwera kwenikweni kwa Tencent ndi Guangzhou. Tinasonkhanitsa ngalande ndikuyilumikiza ku dera la Hong Kong ku GCP (ndiye kuti derali linali litapezeka kale). Njira yachiwiri ku Ali Cloud kuchokera ku Shenzhen kupita ku Hong Kong idakwezedwanso nthawi yomweyo. Zinapezeka kuti kudzera pa netiweki ya Tencent latency kupita ku Hong Kong nthawi zambiri imakhala yabwinoko (10ms) kuposa kuchokera ku Shenzhen kupita ku Hong Kong kupita ku Ali (120ms - chiyani?). Koma izi sizinafulumizitse ntchito ya malowa kuti agwire ntchito kudzera mu Tencent ndi ngalandeyi, yomwe yokha inali yodabwitsa ndipo inatsimikiziranso izi: latency - kwa China ichi si chizindikiro chomwe chili choyenera. kutchera khutu popanga njira yodutsa ma firewall aku China.

Anycast Internet mathamangitsidwe

Chinthu china chomwe chimakupatsani mwayi wogwira ntchito kudzera pa IP anycast ndi AIA. Koma sichipezekanso ku akaunti zapadziko lonse lapansi, kotero sindikuuzani za izo, koma kudziwa kuti mankhwalawa alipo angakhale othandiza.

Koma mayeso a CDN adawonetsa zotsatira zosangalatsa kwambiri. CDN ya Tencent siyingatsegulidwe patsamba lathunthu, pamagawo apadera. Tidapanga madambwe ndikutumiza traffic kwa iwo:

Zinapezeka kuti CDN iyi ili ndi izi: Kuwongola Magalimoto Odutsa Border. Izi zikuyenera kuchepetsa mtengo magalimoto akadutsa pa firewall yaku China. Monga Origin Adilesi ya IP ya Google GLB (GLB anycast) idanenedwa. Chifukwa chake, tinkafuna kupeputsa kamangidwe ka polojekitiyi.

Zotsatira zake zinali zabwino kwambiri - pamlingo wa Ali Cloud CDN, komanso m'malo ena bwino. Izi ndizodabwitsa, chifukwa ngati mayesowo apambana, mutha kusiya gawo lalikulu la zomangamanga, machubu, CEN, makina enieni, ndi zina zambiri.

Sitinasangalale kwa nthawi yayitali, monga vuto linawululidwa: mayesero mu Catchpoint analephera kwa opereka intaneti China Mobile. Kuchokera kulikonse tidalandira nthawi yotha kudzera pa CDN ya Tencent. Kulemberana makalata ndi chithandizo chaukadaulo sikunatsogolere ku chilichonse. Tinayesetsa kuthetsa vutoli kwa tsiku limodzi, koma palibe chimene chinathandiza.

Ndinali ku China panthawiyo, koma sindinapeze Wi-Fi yapagulu pa netiweki ya woperekerayu kuti nditsimikizire ndekha vutoli. Apo ayi zonse zinkawoneka mofulumira komanso zabwino.
Komabe, chifukwa chakuti China Mobile ndi imodzi mwa atatu akuluakulu ogwira ntchito, tinakakamizika kubwezera magalimoto ku Ali CDN.
Koma chonsecho, iyi inali njira yosangalatsa yomwe imayenera kuyesedwa kwanthawi yayitali ndikuthetsa vutoli.

Akamai

Wopereka CDN womaliza yemwe tidayesa anali Akamai. Uyu ndi wopereka wamkulu yemwe ali ndi netiweki ku China. Inde, sitinathe kuzidutsa izo.

Kuyambira pachiyambi pomwe, tidagwirizana ndi Akamai kwa nthawi yoyeserera kuti tisinthe domain ndikuwona momwe ingagwirire ntchito pamaneti awo. Ndidzalongosola zotsatira za mayesero onse mu mawonekedwe a "Zomwe ndimakonda" ndi "Zomwe sindinazikonde," ndipo ndiperekanso zotsatira za mayeso.

Zomwe tidakonda:

• Anyamata ochokera ku Akamai anali othandiza kwambiri m'mafunso onse ndipo amapita nafe pamagawo onse oyesa. Nthawi zonse tinkayesetsa kukonza china chake kumbali yathu. Anapereka malangizo abwino aukadaulo.
• Akamai ndi pafupi 10-15% pang'onopang'ono kuposa yankho lathu kudzera pa Ali Cloud CDN. Chosangalatsa ndichakuti mu Origin for Akamai tidatchula adilesi ya IP ya GLB, kutanthauza kuti magalimoto sanadutse yankho lathu (mwina titha kusiya gawo lina lachitukuko). Komabe, zotsatira zoyesa zidawonetsa kuti yankho ili ndi loyipa kuposa momwe tiliri pano (zotsatira zofananira pansipa).
• Anayesa Origin GLB ndi Origin ku China. Zonse zomwe mungasankhe ndizofanana.
• pali Njira Yabwino (kukhathamiritsa kwa njira zokha). Mutha kuchititsa chinthu choyesa pa Origin, ndipo ma seva a Akamai's Edge ayesa kunyamula (GET wanthawi zonse). Pazopempha izi, liwiro ndi ma metrics ena amayezedwa, kutengera zomwe netiweki ya Akamai imakongoletsa njira kuti magalimoto azipita mwachangu patsamba lathu ndipo zinali zoonekeratu kuti kuthandizira izi kunakhudza kwambiri liwiro la tsambalo.
• Kusintha kasinthidwe mu mawonekedwe a intaneti ndikozizira. Mutha kuchita Fananizani ndi mitundu, yang'anani diff. Onani zomasulira zam'mbuyomu.
• Mutha kutulutsa mtundu watsopano poyamba pa Akamai Staging network - maukonde omwewo monga kupanga, njira iyi yokhayo siyingakhudze ogwiritsa ntchito enieni. Pakuyesa uku, muyenera kuwononga zolemba za DNS pamakina akomweko.
• Kutsitsa mwachangu kwambiri kudzera pa netiweki yawo pamafayilo akulu akulu, ndipo, mwachiwonekere, mafayilo ena aliwonse. Fayilo yochokera ku cache "yozizira" imatengedwanso mwachangu kuposa fayilo yomweyi kuchokera ku "cold" cache ya Ali CDN. Kuchokera pa cache "yotentha", liwiro liri kale lofanana, kuphatikiza kapena kuchotsera.

Ali CDN mayeso:

root@shenzhen1:~# curl -o /dev/null -w@curl_time https://en.semrushchina.cn/my_reports/build/scripts/simpleInit.js?v=1551879212
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5757k    0 5757k    0     0   513k      0 --:--:--  0:00:11 --:--:--  526k
time_namelookup:  0.004286
time_connect:  0.030107
time_appconnect:  0.117525
time_pretransfer:  0.117606
time_redirect:  0.000000
time_starttransfer:  0.840348
----------
time_total:  11.208119
----------
size_download:  5895467 Bytes
speed_download:  525999.000B/s

Akamai test:

root@shenzhen1:~# curl -o /dev/null -w@curl_time https://www.semrushchina.cn/my_reports/build/scripts/simpleInit.js?v=1551879212
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5757k    0 5757k    0     0  1824k      0 --:--:--  0:00:03 --:--:-- 1825k
time_namelookup:  0.509005
time_connect:  0.528261
time_appconnect:  0.577235
time_pretransfer:  0.577324
time_redirect:  0.000000
time_starttransfer:  1.327013
----------
time_total:  3.154850
----------
size_download:  5895467 Bytes
speed_download:  1868699.000B/s

Tawona kuti zomwe zili mu chitsanzo pamwambapa zimadalira zinthu zosiyanasiyana. Panthawi yolemba mfundoyi, ndinathamanganso mayeso. Zotsatira za nsanja zonsezo zinali pafupifupi zofanana. Izi zikutiuza kuti intaneti ku China, ngakhale kwa ogwira ntchito akuluakulu ndi opereka mitambo, amachita mosiyana nthawi ndi nthawi.

Pa mfundo yapitayi, ndiwonjezerapo kuphatikizika kwakukulu kwa Akamai: ngati Ali akuwonetsa kuwunikira kofanana kwa magwiridwe antchito apamwamba komanso kutsika kwambiri (izi zikugwira ntchito kwa Ali CDN, Ali CEN, ndi Ali IPSEC), ndiye Akamai, nthawi iliyonse, ziribe kanthu. momwe ndimayesa maukonde awo, chilichonse chimagwira ntchito mokhazikika.
Akamai ali ndi zambiri ku China ndipo amagwira ntchito kudzera mwa othandizira ambiri.

Zomwe sindimakonda:

• Sindimakonda mawonekedwe a intaneti ndi momwe amagwirira ntchito - ndizosauka kwambiri. Koma kwenikweni mumazolowera (mwina).
• Zotsatira za mayeso ndizoyipa kuposa tsamba lathu.
• Pali zolakwika zambiri pamayesero kuposa patsamba lathu (nthawi yomaliza pansipa).
• Tilibe ma seva athu a DNS ku China. Chifukwa chake pali zolakwika zambiri pamayesero chifukwa cha DNS kuthetsa nthawi.
• Samapereka ma IP awo -> palibe njira yolembera zolondola set_real_ip_kuchokera pa ma seva athu.

Ma metrics (~ 3626 amathamanga; ma metrics onse kupatula Uptime, mu ms; ziwerengero za nthawi imodzi):

Wopereka CDN
Zamkatikati
75%
95%
Poyankha
Mayankho a Tsamba la Webusaiti
Uptime
DNS
kugwirizana
Dikirani
katundu
SSL

AliCDN
9195
10749
17489
1,715
10,745
99.531
57
17
927
479
200

Akamai
9783
11887
19888
2,352
11,550
98.980
424
91
1408
381
50

Kugawa ndi Percentile (mu ms):

Peresenti
Akamai
AliCDN

10
7,092
6,942

20
7,775
7,583

30
8,446
8,092

40
9,146
8,596

50
9,783
9,195

60
10,497
9,770

70
11,371
10,383

80
12,670
11,255

90
15,882
13,165

100
91,592
91,596

Mapeto ake ndi awa: njira ya Akamai ndiyotheka, koma siyipereka kukhazikika komanso kuthamanga komweko monga yankho lathu lophatikizidwa ndi Ali CDN.

Zolemba zazing'ono

Nthawi zina sizinaphatikizidwe m'nkhaniyi, koma ndikufunanso kulemba za izo.

Beijing + Tokyo ndi Hong Kong

Monga ndanenera pamwambapa, tidayesa njira ya IPSEC kupita ku Hong Kong (HK). Koma tidayesanso CEN ku HK. Zimawononga pang'ono, ndipo ndinali kudabwa momwe zingagwire ntchito pakati pa mizinda yokhala ndi mtunda wa ~ 100 km. Zinakhala zosangalatsa kuti latency pakati pa mizindayi ndi yokwera 100ms kuposa momwe timayambira (ku Taiwan). Kuthamanga, kukhazikika kunalinso bwino ku Taiwan. Zotsatira zake, tinasiya HK ngati dera la IPSEC losunga zobwezeretsera.

Kuphatikiza apo, tidayesa kukhazikitsa izi:

• kuthetsedwa kwa makasitomala ku Beijing,
• IPSEC ndi CEN kupita ku Tokyo,
• mu Ali CDN seva ku Beijing idawonetsedwa ngati koyambira.

Chiwembuchi sichinali chokhazikika, ngakhale kuti mwa liwiro nthawi zambiri sichinali chocheperapo pa yankho lathu. Ponena za ngalandeyi, ndawonapo kutsika kwapakatikati ngakhale kwa CEN, komwe kuyenera kukhala kokhazikika. Chifukwa chake, tidabwerera ku chiwembu chakale ndikuchotsa gawoli.

Pansipa pali ziwerengero za latency pakati pa zigawo zosiyanasiyana zamakanema osiyanasiyana. Mwina wina angasangalale nazo.

IPsec
Ali cn-beijing <—> GCP asia-northeast1 — 193ms
Ali cn-shenzhen <—> GCP asia-east2 — 91ms
Ali cn-shenzhen <—> GCP us-east4 — 200ms

CEN
Ali cn-beijing <—> Ali ap-northeast-1 — 54ms (!)
Ali cn-shenzhen <—> Ali cn-hongkong — 6ms (!)
Ali cn-shenzhen <—> Ali us-east1 — 216ms

Zambiri zokhudzana ndi intaneti ku China

Monga chowonjezera pamavuto omwe ali ndi intaneti omwe afotokozedwa koyambirira, mu gawo loyamba la nkhaniyi.

• Intaneti ku China ndi yachangu kwambiri mkati.
  • Mapeto ake adapangidwa kutengera kuyesa ma netiweki amtundu wa Wi-Fi m'malo osiyanasiyana komwe maukondewa amagwiritsidwa ntchito ndi anthu ambiri.
  • Kutsitsa ndi kukweza kuthamanga kumaseva mkati mwa China kunali pafupifupi 20 Mbit/s ndi 5-10 Mbit/s, motsatana.
  • Kuthamanga kwa ma seva kunja kwa China ndi kochepa chabe, kuchepera 1 Mbit / s.
• Intaneti ku China siyokhazikika.
  • Nthawi zina masamba amatha kutseguka mwachangu, nthawi zina pang'onopang'ono (nthawi yomweyo pamasiku osiyanasiyana), malinga ngati kasinthidwe sikasintha. Tidawona izi ndi chitsanzo cha semrushchina.cn. Izi zitha kukhala chifukwa cha Ali CDN, yomwe imagwiranso ntchito motere komanso kuti malingana ndi nthawi ya tsiku, malo a nyenyezi, ndi zina zotero.
• Intaneti yam'manja ili pafupifupi kulikonse 4G kapena 4G+. Igwireni munjanji yapansi panthaka, ma elevator - mwachidule, kulikonse.
• Ndi nthano kuti ogwiritsa ntchito achi China amangodalira madera a .cn zone. Taphunzira izi mwachindunji kuchokera kwa ogwiritsa ntchito.
  • Mutha kuwona momwe http://baidu.cn tumizaninso ku www.baidu.com (ku Chinanso).
• Zothandizira zambiri zatsekedwa. Zoyamba: google.com, Facebook, Twitter. Koma zinthu zambiri za Google zimagwira ntchito (zowona, osati pa Wi-Fi yonse ndi VPN sizimagwiritsidwa ntchito (pambali ya rauta, ndizowona).
• Madera ambiri "zaukadaulo" amakampani otsekedwa akugwiranso ntchito. Izi zikutanthauza kuti nthawi zonse simuyenera kudula mosasamala zinthu zonse za Google ndi zina zomwe zimawoneka kuti zatsekedwa. Muyenera kuyang'ana mndandanda wa madambwe oletsedwa.
• Ali ndi atatu okha omwe amagwiritsa ntchito intaneti: China Unicom, China Telecom, China Mobile. Palinso ang'onoang'ono, koma gawo lawo la msika ndilochepa

Bonasi: chojambula chomaliza

Zotsatira

Chaka chatha chiyambireni ntchitoyi. Tidayamba ndikuti tsamba lathu limakana kugwira ntchito bwino kuchokera ku China, ndipo kungoti GET curl idatenga masekondi 5.5.

Kenako, ndi zizindikiro izi mu yankho loyamba (Cloudflare):

chisankho
Uptime
Zamkatikati
75 peresenti
95 peresenti

Cloudflare
86.6
18
30
60

Pambuyo pake tidapeza zotsatirazi (ziwerengero za mwezi watha):

chisankho
Uptime
Zamkatikati
75 peresenti
95 peresenti

Ali CDN + CEN/IPsec + GLB
99.86
8.8
9.5
13.7

Monga mukuonera, sitinathe kukwaniritsa 100% uptime, koma tidzabwera ndi chinachake, ndiyeno tidzakuuzani za zotsatira m'nkhani yatsopano :)

Ulemu kwa amene awerenga zigawo zonse zitatu mpaka kumapeto. Ndikukhulupirira kuti mwapeza zonse izi kukhala zosangalatsa monga momwe ndimachitira nditazichita.

PS Zigawo zam'mbuyo

Gawo la 1
Gawo la 2

Source: www.habr.com