Talofa Habr, o loʻu igoa o Ilya, ou te galue i le au faʻavae i Exness. Matou te atia'e ma fa'atino vaega 'autū o atina'e o lo'o fa'aogaina e a matou 'au atina'e oloa.
I lenei tusiga, ou te fia faʻasoa atu loʻu poto masani i le faʻaogaina o tekinolosi SNI (ESNI) faʻailoga i totonu o atinaʻe o upega tafaʻilagi lautele.

O le faʻaogaina o lenei tekinolosi o le a faʻateleina ai le tulaga o le saogalemu pe a galulue ma se upega tafaʻilagi a le lautele ma tausisia tulaga faʻalotoifale o loʻo faʻaaogaina e le Kamupani.
Muamua lava, ou te fia faailoa atu o le tekinolosi e le o faʻamaonia ma o loʻo i ai pea i le ata faataitai, ae ua lagolagoina e CloudFlare ma Mozilla (i totonu ). O lenei mea na faaosofia ai i matou mo se suʻega faapena.
O se vaega o teori
ESNI o se fa'aopoopoga i le TLS 1.3 protocol e fa'ataga ai le SNI encryption i le TLS fa'afeiloa'i lima "Client Talofa" savali. O foliga ia o le Client Hello i le lagolago a le ESNI (nai lo le SNI masani tatou te vaʻaia ESNI):

Mo le faʻaaogaina o le ESNI, e te manaʻomia ni vaega se tolu:
- DNS;
- Lagolago tagata fa'atau;
- Lagolago itu itu server.
DNS
E manaʻomia lou faʻaopoopoina o faʻamaumauga DNS se lua - Ama TXT (O le faamaumauga TXT o loʻo i ai le ki faʻasalalau e mafai ai e le kalani ona faʻailoga SNI) - vaʻai i lalo. E le gata i lea, e tatau ona i ai le lagolago Faia (DNS i luga ole HTTPS) ona o tagata o lo'o avanoa (silasila i lalo) e le mafai ona fesoasoani le ESNI e aunoa ma le DoH. E talafeagai lenei mea, talu ai o le ESNI o loʻo faʻaalia le faʻailogaina o le igoa o le punaoa o loʻo matou mauaina, o lona uiga, e leai se uiga e maua ai DNS i luga ole UDP. E le gata i lea, o le faʻaaogaina fa'atagaina oe e puipuia mai osofa'iga oona i totonu o lenei fa'aaliga.
avanoa nei , i totonu oi latou:
CloudFlare (Siaki La'u Su'esu'ega → Encrypted SNI → A'oa'o Sili) ua uma ona lagolagoina e latou 'au'aunaga le ESNI, o lona uiga, mo CloudFlare servers i le DNS e le itiiti ifo ma le lua a matou fa'amaumauga - A ma TXT. I le faʻataʻitaʻiga o loʻo i lalo matou te fesiligia Google DNS (i luga ole HTTPS):
А ulufale:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT fa'amaumauga, ole talosaga e faia e tusa ai ma se fa'ata'ita'iga _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
O lea la, mai se vaaiga DNS, e tatau ona tatou faʻaogaina le DoH (sili atu ile DNSSEC) ma faʻaopoopo ni faʻamatalaga se lua.
Lagolago tagata fa'atau
Afai tatou te talanoa e uiga i suʻesuʻega, o le taimi nei . O fa'atonuga nei ile fa'agaoioi ole ESNI ma le DoH lagolago ile FireFox. A maeʻa ona faʻapipiʻi le browser, e tatau ona tatou vaʻai i se mea e pei o lenei:

e siaki le browser.
Ioe, TLS 1.3 e tatau ona faʻaoga e lagolago ai le ESNI, talu ai o le ESNI o se faʻaopoopoga i le TLS 1.3.
Mo le faʻamoemoega o le suʻeina o le pito i tua ma le lagolago a le ESNI, na matou faʻatinoina le kalani i luga go, Ae sili atu i lena mea mulimuli ane.
Lagolago itu itu server
I le taimi nei, e le o lagolagoina le ESNI e 'upega tafaʻilagi e pei o nginx/apache, ma isi, talu ai latou te galulue faʻatasi ma TLS e ala ile OpenSSL/BoringSSL, lea e le lagolagoina aloaia le ESNI.
O le mea lea, na matou filifili ai e fai a matou lava vaega pito i luma (ESNI reverse proxy), lea e lagolagoina le TLS 1.3 faʻamutaina ma le ESNI ma sui HTTP(S) fefaʻatauaiga i luga, lea e le lagolagoina le ESNI. O lenei mea e mafai ai ona e faʻaogaina le tekonolosi i totonu o se atinaʻe o loʻo i ai nei, e aunoa ma le suia o vaega autu - o lona uiga, faʻaoga 'upega tafaʻilagi o loʻo i ai nei e le lagolagoina le ESNI.
Mo le manino, o le ata lenei:

Ou te maitauina o le sui na mamanuina ma le mafai ona faʻamutaina se fesoʻotaʻiga TLS e aunoa ma le ESNI, e lagolago ai tagata e aunoa ma le ESNI. E le gata i lea, o le fesoʻotaʻiga faʻatasi ma le pito i luga e mafai ona avea ma HTTP poʻo HTTPS faʻatasi ai ma le TLS version laʻititi nai lo le 1.3 (pe a le lagolagoina e le upstream le 1.3). O lenei polokalame e maua ai le fetuutuuna'i aupito maualuga.
Fa'atinoina ole lagolago a le ESNI ile go sa matou nono mai . Ou te fia maitauina i le taimi lava lena o le faʻatinoga lava ia e le o se mea taua, talu ai e aofia ai suiga i le faletusi masani. crypto/tls ma o lea e manaʻomia ai le "patching" GOROOT i luma o le faapotopotoga.
E fa'atupu ESNI ki na matou fa'aogaina (faapea foi ma le manatu o CloudFlare). O nei ki e fa'aoga mo le SNI fa'ailoga/fa'aliga.
Мы протестировали сборку с использованием go 1.13 на Linux (Debian, Alpine) и MacOS.
O nai upu e uiga i galuega fa'atino
ESNI reverse sui e tu'uina atu metric i le Prometheus format, pei o le rps, upstream latency & tali code, fa'aletonu/manuia TLS lululima & TLS taimi lululima. I le tepa muamua, e foliga mai ua lava lea e iloilo ai pe faʻafefea ona faʻatautaia e le sui le fefaʻatauaiga.
Sa matou faia foi su'ega uta a'o le'i fa'aaogaina. Tali i lalo:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Sa matou fa'atinoina le su'ega o uta fa'atatau e fa'atusatusa ai le polokalame e fa'aaoga ai le sui sui ESNI ma leai. Na matou "sasaa" feoaiga i le lotoifale ina ia faʻaumatia le "faʻalavelave" i vaega vavalalata.
O lea, faʻatasi ai ma le lagolago a le ESNI ma le sui i luga mai le HTTP, matou te maua le ~ 550 rps mai le tasi faʻataʻitaʻiga, faʻatasi ai ma le averesi o le CPU / RAM faʻaaogaina o le ESNI sui sui:
- 80% CPU Usage (4 vCPU, 4 GB RAM хосты, Linux)
- 130 MB Mem RSS

Mo faʻatusatusaga, RPS mo le nginx tutusa i luga e aunoa ma le TLS (HTTP protocol) faʻamutaina o le ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Наличие таймаутов говорит о том, что есть нехватка ресурсов (мы использовали 4 vCPU, 4 GB RAM хосты, Linux), и по факту потенциальный RPS выше (мы получали цифры до 2700 RPS на более мощных ресурсах).
I le faaiuga, ou te matauina o le tekinolosi ESNI e foliga mai e manaia tele. O loʻo i ai pea le tele o fesili tatala, mo se faʻataʻitaʻiga, o mataupu o le teuina o le lautele ESNI ki i le DNS ma le fesuiaʻiina o ki ESNI - o nei mataupu o loʻo faʻatalanoaina ma le malosi, ma o le lomiga lata mai o le ESNI draft (i le taimi o le tusitusi) ua uma. .
puna: www.habr.com
