Moni Habr, dzina langa ndine Ilya, ndimagwira ntchito mu gulu la nsanja ku Exness. Timakhazikitsa ndikugwiritsa ntchito zida zoyambira zomwe magulu athu opanga zinthu amagwiritsa ntchito.
M'nkhaniyi, ndikufuna kugawana zomwe ndakumana nazo pakugwiritsa ntchito ukadaulo wa encrypted SNI (ESNI) pamawebusayiti a anthu.

Kugwiritsa ntchito ukadaulo uwu kudzakulitsa chitetezo mukamagwira ntchito ndi tsamba la anthu onse ndikutsata miyezo yachitetezo chamkati yokhazikitsidwa ndi Kampani.
Choyamba, ndikufuna kunena kuti ukadaulo sunakhazikitsidwe ndipo ukadali pano, koma CloudFlare ndi Mozilla amathandizira kale (mu. ). Izi zinatilimbikitsa kuyesera koteroko.
Chiphunzitso china
ESNI ndikuwonjeza ku protocol ya TLS 1.3 yomwe imalola kubisa kwa SNI mu uthenga wa TLS wa "Client Hello". Izi ndi zomwe Client Hello imawoneka ndi chithandizo cha ESNI (m'malo mwa SNI wamba tikuwona ESNI):

Kuti mugwiritse ntchito ESNI, muyenera zigawo zitatu:
- DNS;
- Thandizo la kasitomala;
- Thandizo la mbali ya seva.
DNS
Muyenera kuwonjezera zolemba ziwiri za DNS - Andi TXT (Zolemba za TXT zili ndi kiyi yapagulu yomwe kasitomala amatha kubisa SNI) - onani pansipa. Kuphatikiza apo, payenera kukhala chithandizo DoH (DNS pa HTTPS) chifukwa makasitomala omwe alipo (onani pansipa) salola thandizo la ESNI popanda DoH. Izi ndizomveka, popeza ESNI ikutanthauza kubisa dzina lachidziwitso chomwe tikupeza, ndiye kuti, sizomveka kupeza DNS pa UDP. Komanso, kugwiritsa ntchito amakulolani kuti muteteze ku chiwopsezo cha cache muzochitika izi.
Ikupezeka pano , mwa iwo:
CloudFlare (Chongani Msakatuli Wanga β Encrypted SNI β Phunzirani Zambiri) kuti ma seva awo amathandizira kale ESNI, ndiye kuti, ma seva a CloudFlare mu DNS tili ndi ma rekodi osachepera awiri - A ndi TXT. Muchitsanzo chomwe chili pansipa timafunsa Google DNS (pa HTTPS):
Π kulowa:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT Record, pempho limapangidwa molingana ndi template _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Chifukwa chake, kuchokera ku DNS, tiyenera kugwiritsa ntchito DoH (makamaka ndi DNSSEC) ndikuwonjezera zolemba ziwiri.
Thandizo lamakasitomala
Ngati tikulankhula za osatsegula, ndiye pakali pano . Nawa malangizo amomwe mungayambitsire thandizo la ESNI ndi DoH mu Firefox. Pambuyo pokonza msakatuli, tiyenera kuwona motere:

kuti muwone msakatuli.
Zachidziwikire, TLS 1.3 iyenera kugwiritsidwa ntchito kuthandizira ESNI, popeza ESNI ndiyowonjezera ku TLS 1.3.
Pofuna kuyesa backend ndi thandizo la ESNI, tidakhazikitsa kasitomala go, Koma zambiri pambuyo pake.
Thandizo la mbali ya seva
Pakalipano, ESNI sichimathandizidwa ndi ma seva monga nginx/apache, ndi zina zotero, popeza amagwira ntchito ndi TLS kudzera pa OpenSSL/BoringSSL, zomwe sizigwirizana ndi ESNI.
Chifukwa chake, tidaganiza zopanga gawo lathu lakutsogolo (ESNI reverse proxy), yomwe ingathandizire kutha kwa TLS 1.3 ndi ESNI ndi ma proxy HTTP (S) kumtunda, zomwe sizigwirizana ndi ESNI. Izi zimalola kuti teknoloji igwiritsidwe ntchito pazinthu zomwe zilipo kale, popanda kusintha zigawo zikuluzikulu - ndiko kuti, kugwiritsa ntchito ma seva amakono omwe sakugwirizana ndi ESNI.
Kuti mumveke bwino, nachi chithunzi:

Ndikuzindikira kuti woyimirayo adapangidwa kuti athetse kulumikizana kwa TLS popanda ESNI, kuthandiza makasitomala opanda ESNI. Komanso, njira yolumikizirana ndi kumtunda ikhoza kukhala HTTP kapena HTTPS yokhala ndi TLS yotsika kuposa 1.3 (ngati kumtunda sikugwirizana ndi 1.3). Chiwembu ichi chimapereka kusinthasintha kwakukulu.
Kukhazikitsa thandizo la ESNI pa go tinabwerekako . Ndikufuna kuzindikira nthawi yomweyo kuti kukhazikitsa komweko sikophweka, chifukwa kumakhudza kusintha kwa laibulale yokhazikika. crypto/tls chifukwa chake amafunikira "kujambula" GOROOT pamaso pa msonkhano.
Kuti tipange makiyi a ESNI tidagwiritsa ntchito (komanso ubongo wa CloudFlare). Makiyi awa amagwiritsidwa ntchito pa SNI encryption/decryption.
Tinayesa kapangidwe kake pogwiritsa ntchito 1.13 on Linux (Debian, Alpine) ndi MacOS.
Mawu ochepa okhudza magwiridwe antchito
ESNI reverse proxy imapereka ma metrics mumtundu wa Prometheus, monga ma rps, ma code am'mwamba a latency & mayankho, kulephera / kuchita bwino kwa TLS kugwirana chanza & nthawi ya TLS yogwirana chanza. Poyang'ana koyamba, izi zidawoneka zokwanira kuwunika momwe proxy imagwirira ntchito.
Tidachitanso kuyezetsa katundu tisanagwiritse ntchito. Zotsatira pansipa:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Tidachita kuyezetsa koyenera kuti tifananize chiwembucho pogwiritsa ntchito ESNI reverse proxy komanso popanda. "Tidatsanulira" kuchuluka kwa magalimoto kumaloko kuti tithetse "kusokoneza" pazinthu zapakatikati.
Chifukwa chake, mothandizidwa ndi ESNI ndikuyitanitsa kumtunda kuchokera ku HTTP, tinali ndi ~ 550 rps kuchokera pamwambo umodzi, ndikugwiritsa ntchito CPU/RAM ya ESNI reverse proxy:
- Kugwiritsa Ntchito 80% ya CPU (4 vCPU, 4 GB RAM hosts, Linux)
- 130 MB Mem RSS

Poyerekeza, RPS ya nginx yomweyo kumtunda popanda TLS (HTTP protocol) kuthetsa ndi ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' β-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Kupezeka kwa nthawi yopuma kumasonyeza kuti pali kusowa kwa zinthu (tidagwiritsa ntchito ma vCPU 4, ma RAM a 4 GB, Linux), ndipo kwenikweni RPS yomwe ingakhalepo ndi yokwera (tinalandira ziwerengero mpaka 2700 RPS pazinthu zamphamvu kwambiri).
Pomaliza, ndikuzindikira ukadaulo wa ESNI umawoneka wodalirika. Pali mafunso ambiri otseguka, mwachitsanzo, nkhani zosungira makiyi a ESNI mu DNS ndi makiyi ozungulira a ESNI - nkhanizi zikukambidwa mwachangu, ndipo ndondomeko yaposachedwa ya ESNI draft (panthawi yolemba) ili kale. .
Source: www.habr.com
