Mhoro Habr, zita rangu ndinonzi Ilya, ndinoshanda muchikwata chepuratifomu kuExness. Isu tinogadzira uye nekushandisa izvo zvakakosha zvivakwa zvinoshandiswa nezvikwata zvedu zvekuvandudza zvigadzirwa.
Muchinyorwa chino, ndinoda kugovera ruzivo rwangu rwekushandisa encrypted SNI (ESNI) tekinoroji mune zvivakwa zveveruzhinji mawebhusaiti.
Kushandiswa kweiyi tekinoroji kuchawedzera mwero wekuchengetedza kana uchishanda newebhusaiti yeruzhinji uye kutevedzera zviyero zvekuchengetedza zvemukati zvakagamuchirwa neKambani.
Chekutanga, ndinoda kuratidza kuti tekinoroji haina kumira uye ichiri mugwaro, asi CloudFlare neMozilla vatoitsigira (mu.
Chimwe chezvinyorwa
ESNI ndeyekuwedzera kune TLS 1.3 protocol inobvumira SNI encryption muTLS kubata ruoko "Client Mhoro" meseji. Hezvino izvo Mutengi Mhoro anotaridzika nerutsigiro rweESNI (panzvimbo peyakajairika SNI tinoona ESNI):
Kuti ushandise ESNI, unoda zvinhu zvitatu:
- DNS;
- Client support;
- Server side support.
DNS
Iwe unofanirwa kuwedzera maviri DNS marekodhi - Auye TXT (Iyo TXT rekodhi ine kiyi yeruzhinji iyo mutengi anogona encrypt SNI) - ona pazasi. Mukuwedzera, panofanira kuva nerutsigiro DoH (DNS pamusoro peHTTPS) nekuti vatengi varipo (ona pazasi) havagone ESNI rutsigiro pasina DoH. Izvi zvine musoro, sezvo ESNI ichireva encryption yezita resource yatiri kuwana, kureva kuti, hazvina musoro kuwana DNS pamusoro peUDP. Uyezve, kushandiswa
Iripo parizvino
CloudFlare
Π kupinda:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT rekodhi, chikumbiro chinogadzirwa zvinoenderana netemplate _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Saka, kubva pamaonero eDNS, isu tinofanirwa kushandisa DoH (zvichida neDNSSEC) uye towedzera zvinyorwa zviviri.
Tsigiro yemutengi
Kana isu tiri kutaura nezve browsers, saka panguva ino
Ehe, TLS 1.3 inofanirwa kushandiswa kutsigira ESNI, sezvo ESNI iri yekuwedzera kuTLS 1.3.
Nechinangwa chekuyedza iyo backend nerutsigiro rweESNI, takaisa mutengi pa go, Asi zvakawanda pamusoro pazvo gare gare.
Server side support
Parizvino, ESNI haitsigirwe nemaseva ewebhu senginx/apache, nezvimwewo, sezvo vachishanda neTLS kuburikidza neOpenSSL/BoringSSL, isingatsigire zviri pamutemo ESNI.
Naizvozvo, takasarudza kugadzira yedu yekumberi-yekupedzisira chikamu (ESNI reverse proxy), iyo yaizotsigira TLS 1.3 kugumiswa neESNI uye proxy HTTP (S) traffic kuenda kumusoro, iyo isingatsigire ESNI. Izvi zvinobvumira tekinoroji kuti ishandiswe mune yagara iripo, pasina kushandura zvikamu zvikuru - ndiko kuti, kushandisa mawebhusaiti azvino asingatsigire ESNI.
Kuti zvive pachena, heino dhayagiramu:
Ndinocherechedza kuti proxy yakagadzirwa nekukwanisa kugumisa TLS yekubatanidza pasina ESNI, kutsigira vatengi pasina ESNI. Zvakare, iyo nzira yekutaurirana ine kumusoro kwerukova inogona kunge iri HTTP kana HTTPS ine TLS vhezheni yakaderera pane 1.3 (kana kumusoro kwerwizi kusingatsigire 1.3). Ichi chirongwa chinopa yakanyanya kuchinjika.
Kuitwa kwe ESNI rutsigiro pa go takakwereta kubva
Kugadzira ESNI makiyi ataishandisa
Takaedza kuvaka tichishandisa go 1.13 paLinux (Debian, Alpine) uye MacOS.
Mashoko mashoma pamusoro pemaitiro ekushanda
ESNI reverse proxy inopa metrics muPrometheus fomati, senge rps, upstream latency & mhinduro kodhi, yakundikana/yakabudirira TLS kubata maoko & TLS ruoko rwekureba. Pakutanga kuona, izvi zvaiita sezvakakwana kuongorora kuti proxy inobata sei traffic.
Isu takaitawo kuyedza kuyera tisati tashandisa. Mhinduro dziri pazasi:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Isu takaita zvemhando yepamusoro kuyedza kuenzanisa chirongwa tichishandisa ESNI reverse proxy uye pasina. Isu "takadurura" traffic munharaunda kuitira kuti tibvise "kupindira" muzvikamu zvepakati.
Saka, nerutsigiro rweESNI uye proxying kuenda kumusoro kubva kuHTTP, takawana akatenderedza ~ 550 rps kubva pane imwe nguva, neavhareji CPU/RAM kushandiswa kweESNI reverse proxy:
- 80% CPU Kushandisa (4 vCPU, 4 GB RAM mauto, Linux)
- 130 MB Mem RSS
Kuenzanisa, RPS yeiyo nginx yakafanana kukwidza isina TLS (HTTP protocol) kugumiswa ndeye ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' β-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Kuvapo kwekufamba kwenguva kunoratidza kuti pane kushomeka kwezviwanikwa (takashandisa 4 vCPUs, 4 GB RAM mauto, Linux), uye kutaura zvazviri iyo inogona RPS yakakwira (takagamuchira nhamba dzinosvika 2700 RPS pane mamwe masimba ane simba).
Mukupedzisa, ndinocherechedza iyo tekinoroji yeESNI inotaridzika kuva inovimbisa. Pachine mibvunzo yakawanda yakavhurika, semuenzaniso, nyaya dzekuchengeta kiyi yeruzhinji ESNI muDNS uye kutenderera ESNI makiyi - nyaya idzi dziri kukurukurwa zvakanyanya, uye yazvino vhezheni ye ESNI dhizaini (panguva yekunyora) yatove.
Source: www.habr.com