Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe mungatetezere tsamba lanu lapagulu ndi ESNI

Momwe mungatetezere tsamba lanu lapagulu ndi ESNI

Moni Habr, dzina langa ndine Ilya, ndimagwira ntchito mu gulu la nsanja ku Exness. Timakhazikitsa ndikugwiritsa ntchito zida zoyambira zomwe magulu athu opanga zinthu amagwiritsa ntchito.

M'nkhaniyi, ndikufuna kugawana zomwe ndakumana nazo pakugwiritsa ntchito ukadaulo wa encrypted SNI (ESNI) pamawebusayiti a anthu.

Momwe mungatetezere tsamba lanu lapagulu ndi ESNI

Kugwiritsa ntchito ukadaulo uwu kudzakulitsa chitetezo mukamagwira ntchito ndi tsamba la anthu onse ndikutsata miyezo yachitetezo chamkati yokhazikitsidwa ndi Kampani.

Choyamba, ndikufuna kunena kuti ukadaulo sunakhazikitsidwe ndipo ukadali pano, koma CloudFlare ndi Mozilla amathandizira kale (mu. chithunzi 01). Izi zinatilimbikitsa kuyesera koteroko.

Chiphunzitso china

ESNI ndikuwonjeza ku protocol ya TLS 1.3 yomwe imalola kubisa kwa SNI mu uthenga wa TLS wa "Client Hello". Izi ndi zomwe Client Hello imawoneka ndi chithandizo cha ESNI (m'malo mwa SNI wamba tikuwona ESNI):

Momwe mungatetezere tsamba lanu lapagulu ndi ESNI

 Kuti mugwiritse ntchito ESNI, muyenera zigawo zitatu:

  • DNS; 
  • Thandizo la kasitomala;
  • Thandizo la mbali ya seva.

DNS

Muyenera kuwonjezera zolemba ziwiri za DNS - Andi TXT (Zolemba za TXT zili ndi kiyi yapagulu yomwe kasitomala amatha kubisa SNI) - onani pansipa. Kuphatikiza apo, payenera kukhala chithandizo DoH (DNS pa HTTPS) chifukwa makasitomala omwe alipo (onani pansipa) salola thandizo la ESNI popanda DoH. Izi ndizomveka, popeza ESNI ikutanthauza kubisa dzina lachidziwitso chomwe tikupeza, ndiye kuti, sizomveka kupeza DNS pa UDP. Komanso, kugwiritsa ntchito DNSSEC amakulolani kuti muteteze ku chiwopsezo cha cache muzochitika izi.

Ikupezeka pano angapo othandizira a DoH, mwa iwo:

CloudFlare atero (Chongani Msakatuli Wanga β†’ Encrypted SNI β†’ Phunzirani Zambiri) kuti ma seva awo amathandizira kale ESNI, ndiye kuti, ma seva a CloudFlare mu DNS tili ndi ma rekodi osachepera awiri - A ndi TXT. Muchitsanzo chomwe chili pansipa timafunsa Google DNS (pa HTTPS): 

А kulowa:

curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "www.cloudflare.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.210.9"
    },
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.209.9"
    }
  ]
}

TXT Record, pempho limapangidwa molingana ndi template _esni.FQDN:

curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16
    }
  ],
  "Answer": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16,
    "TTL": 1799,
    "data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
    }
  ],
  "Comment": "Response from 2400:cb00:2049:1::a29f:209."
}

Chifukwa chake, kuchokera ku DNS, tiyenera kugwiritsa ntchito DoH (makamaka ndi DNSSEC) ndikuwonjezera zolemba ziwiri. 

Thandizo lamakasitomala

Ngati tikulankhula za osatsegula, ndiye pakali pano thandizo likugwiritsidwa ntchito mu Firefox yokha. ndi Nawa malangizo amomwe mungayambitsire thandizo la ESNI ndi DoH mu Firefox. Pambuyo pokonza msakatuli, tiyenera kuwona motere:

Momwe mungatetezere tsamba lanu lapagulu ndi ESNI

kugwirizana kuti muwone msakatuli.

Zachidziwikire, TLS 1.3 iyenera kugwiritsidwa ntchito kuthandizira ESNI, popeza ESNI ndiyowonjezera ku TLS 1.3.

Pofuna kuyesa backend ndi thandizo la ESNI, tidakhazikitsa kasitomala go, Koma zambiri pambuyo pake.

Thandizo la mbali ya seva

Pakalipano, ESNI sichimathandizidwa ndi ma seva monga nginx/apache, ndi zina zotero, popeza amagwira ntchito ndi TLS kudzera pa OpenSSL/BoringSSL, zomwe sizigwirizana ndi ESNI.

Chifukwa chake, tidaganiza zopanga gawo lathu lakutsogolo (ESNI reverse proxy), yomwe ingathandizire kutha kwa TLS 1.3 ndi ESNI ndi ma proxy HTTP (S) kumtunda, zomwe sizigwirizana ndi ESNI. Izi zimalola kuti teknoloji igwiritsidwe ntchito pazinthu zomwe zilipo kale, popanda kusintha zigawo zikuluzikulu - ndiko kuti, kugwiritsa ntchito ma seva amakono omwe sakugwirizana ndi ESNI. 

Kuti mumveke bwino, nachi chithunzi:

Momwe mungatetezere tsamba lanu lapagulu ndi ESNI

Ndikuzindikira kuti woyimirayo adapangidwa kuti athetse kulumikizana kwa TLS popanda ESNI, kuthandiza makasitomala opanda ESNI. Komanso, njira yolumikizirana ndi kumtunda ikhoza kukhala HTTP kapena HTTPS yokhala ndi TLS yotsika kuposa 1.3 (ngati kumtunda sikugwirizana ndi 1.3). Chiwembu ichi chimapereka kusinthasintha kwakukulu.

Kukhazikitsa thandizo la ESNI pa go tinabwerekako CloudFlare. Ndikufuna kuzindikira nthawi yomweyo kuti kukhazikitsa komweko sikophweka, chifukwa kumakhudza kusintha kwa laibulale yokhazikika. crypto/tls chifukwa chake amafunikira "kujambula" GOROOT pamaso pa msonkhano.

Kuti tipange makiyi a ESNI tidagwiritsa ntchito esnitool (komanso ubongo wa CloudFlare). Makiyi awa amagwiritsidwa ntchito pa SNI encryption/decryption.
Tinayesa kumangako pogwiritsa ntchito go 1.13 pa Linux (Debian, Alpine) ndi MacOS. 

Mawu ochepa okhudza magwiridwe antchito

ESNI reverse proxy imapereka ma metrics mumtundu wa Prometheus, monga ma rps, ma code am'mwamba a latency & mayankho, kulephera / kuchita bwino kwa TLS kugwirana chanza & nthawi ya TLS yogwirana chanza. Poyang'ana koyamba, izi zidawoneka zokwanira kuwunika momwe proxy imagwirira ntchito. 

Tidachitanso kuyezetsa katundu tisanagwiritse ntchito. Zotsatira pansipa:

wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.77s     1.21s    7.20s    65.43%
    Req/Sec    13.78      8.84   140.00     83.70%
  206357 requests in 6.00m, 6.08GB read
Requests/sec:    573.07
Transfer/sec:     17.28MB 

Tidachita kuyezetsa koyenera kuti tifananize chiwembucho pogwiritsa ntchito ESNI reverse proxy komanso popanda. "Tidatsanulira" kuchuluka kwa magalimoto kumaloko kuti tithetse "kusokoneza" pazinthu zapakatikati.

Chifukwa chake, mothandizidwa ndi ESNI ndikuyitanitsa kumtunda kuchokera ku HTTP, tinali ndi ~ 550 rps kuchokera pamwambo umodzi, ndikugwiritsa ntchito CPU/RAM ya ESNI reverse proxy:

  • 80% Kugwiritsa Ntchito CPU (4 vCPU, 4 GB RAM makamu, Linux)
  • 130 MB Mem RSS

Momwe mungatetezere tsamba lanu lapagulu ndi ESNI

Poyerekeza, RPS ya nginx yomweyo kumtunda popanda TLS (HTTP protocol) kuthetsa ndi ~ 1100:

wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.11s     2.30s   15.00s    90.94%
    Req/Sec    23.25     13.55   282.00     79.25%
  393093 requests in 6.00m, 11.35GB read
  Socket errors: connect 0, read 0, write 0, timeout 9555
  Non-2xx or 3xx responses: 8111
Requests/sec:   1091.62
Transfer/sec:     32.27MB 

Kukhalapo kwa nthawi kumasonyeza kuti pali kusowa kwazinthu (tinagwiritsa ntchito 4 vCPUs, 4 GB RAM makamu, Linux), ndipo kwenikweni RPS yomwe ingatheke ndi yapamwamba (tinalandira ziwerengero zofika ku 2700 RPS pazinthu zamphamvu kwambiri).

Pomaliza, ndikuzindikira ukadaulo wa ESNI umawoneka wodalirika. Pali mafunso ambiri otseguka, mwachitsanzo, nkhani zosungira makiyi a ESNI mu DNS ndi makiyi ozungulira a ESNI - nkhanizi zikukambidwa mwachangu, ndipo ndondomeko yaposachedwa ya ESNI draft (panthawi yolemba) ili kale. 7.

Source: www.habr.com

Kuwonjezera ndemanga