ProHoster > Blog > Utongi > Maitiro ekudzivirira yako webhusaiti webhusaiti ne ESNI

Maitiro ekudzivirira yako webhusaiti webhusaiti ne ESNI

Mhoro Habr, zita rangu ndinonzi Ilya, ndinoshanda muchikwata chepuratifomu kuExness. Isu tinogadzira uye nekushandisa izvo zvakakosha zvivakwa zvinoshandiswa nezvikwata zvedu zvekuvandudza zvigadzirwa.

Muchinyorwa chino, ndinoda kugovera ruzivo rwangu rwekushandisa encrypted SNI (ESNI) tekinoroji mune zvivakwa zveveruzhinji mawebhusaiti.

Maitiro ekudzivirira yako webhusaiti webhusaiti ne ESNI

Kushandiswa kweiyi tekinoroji kuchawedzera mwero wekuchengetedza kana uchishanda newebhusaiti yeruzhinji uye kutevedzera zviyero zvekuchengetedza zvemukati zvakagamuchirwa neKambani.

Chekutanga, ndinoda kuratidza kuti tekinoroji haina kumira uye ichiri mugwaro, asi CloudFlare neMozilla vatoitsigira (mu. draft01) Izvi zvakatikurudzira kuedza kwakadaro.

Chimwe chezvinyorwa

ESNI ndeyekuwedzera kune TLS 1.3 protocol inobvumira SNI encryption muTLS kubata ruoko "Client Mhoro" meseji. Hezvino izvo Mutengi Mhoro anotaridzika nerutsigiro rweESNI (panzvimbo peyakajairika SNI tinoona ESNI):

Maitiro ekudzivirira yako webhusaiti webhusaiti ne ESNI

 Kuti ushandise ESNI, unoda zvinhu zvitatu:

  • DNS; 
  • Client support;
  • Server side support.

DNS

Iwe unofanirwa kuwedzera maviri DNS marekodhi - Auye TXT (Iyo TXT rekodhi ine kiyi yeruzhinji iyo mutengi anogona encrypt SNI) - ona pazasi. Mukuwedzera, panofanira kuva nerutsigiro DoH (DNS pamusoro peHTTPS) nekuti vatengi varipo (ona pazasi) havagone ESNI rutsigiro pasina DoH. Izvi zvine musoro, sezvo ESNI ichireva encryption yezita resource yatiri kuwana, kureva kuti, hazvina musoro kuwana DNS pamusoro peUDP. Uyezve, kushandiswa DNSSEC inokutendera iwe kudzivirira kubva kune cache chepfu kurwiswa mune ino mamiriro.

Iripo parizvino vapei veDoH vakati wandei, pakati pavo:

CloudFlare anodaro (Tarisa My Browser β†’ Encrypted SNI β†’ Dzidza Zvakawanda) kuti maseva avo anototsigira ESNI, kureva kuti, yeCloudFlare maseva muDNS isu tine marekodhi maviri - A uye TXT. Mumuenzaniso uri pazasi tinobvunza Google DNS (pamusoro peHTTPS): 

А kupinda:

curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "www.cloudflare.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.210.9"
    },
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.209.9"
    }
  ]
}

TXT rekodhi, chikumbiro chinogadzirwa zvinoenderana netemplate _esni.FQDN:

curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16
    }
  ],
  "Answer": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16,
    "TTL": 1799,
    "data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
    }
  ],
  "Comment": "Response from 2400:cb00:2049:1::a29f:209."
}

Saka, kubva pamaonero eDNS, isu tinofanirwa kushandisa DoH (zvichida neDNSSEC) uye towedzera zvinyorwa zviviri. 

Tsigiro yemutengi

Kana isu tiri kutaura nezve browsers, saka panguva ino rutsigiro runoitwa chete muFirefox. zviri Heano mirairo yemaitiro ekuita ESNI neDoH rutsigiro muFirefox. Mushure mekunge browser yagadziriswa, tinofanira kuona chimwe chinhu chakadai:

Maitiro ekudzivirira yako webhusaiti webhusaiti ne ESNI

batanidzo kutarisa browser.

Ehe, TLS 1.3 inofanirwa kushandiswa kutsigira ESNI, sezvo ESNI iri yekuwedzera kuTLS 1.3.

Nechinangwa chekuyedza iyo backend nerutsigiro rweESNI, takaisa mutengi pa go, Asi zvakawanda pamusoro pazvo gare gare.

Server side support

Parizvino, ESNI haitsigirwe nemaseva ewebhu senginx/apache, nezvimwewo, sezvo vachishanda neTLS kuburikidza neOpenSSL/BoringSSL, isingatsigire zviri pamutemo ESNI.

ΠŸΠΎΡΡ‚ΠΎΠΌΡƒ ΠΌΡ‹ Ρ€Π΅ΡˆΠΈΠ»ΠΈ ΡΠΎΠ·Π΄Π°Ρ‚ΡŒ свой front-end ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½Ρ‚ (ESNI reverse proxy), ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ Π±Ρ‹ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΈΠ²Π°Π» Ρ‚Π΅Ρ€ΠΌΠΈΠ½Π°Ρ†ΠΈΡŽ TLS 1.3 с ESNI ΠΈ проксированиС HTTP(S) Ρ‚Ρ€Π°Ρ„Ρ„ΠΈΠΊΠ° Π½Π° апстрим, Π½Π΅ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΈΠ²Π°ΡŽΡ‰ΠΈΠΉ ESNI. Π­Ρ‚ΠΎ позволяСт ΠΏΡ€ΠΈΠΌΠ΅Π½ΡΡ‚ΡŒ Ρ‚Π΅Ρ…Π½ΠΎΠ»ΠΎΠ³ΠΈΡŽ Π² ΡƒΠΆΠ΅ слоТившСйся инфраструктурС, Π±Π΅Π· измСнСния основных ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½Ρ‚ΠΎΠ² – Ρ‚ΠΎ Π΅ΡΡ‚ΡŒ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ Ρ‚Π΅ΠΊΡƒΡ‰ΠΈΠ΅ web-сСрвСры, Π½Π΅ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΈΠ²Π°ΡŽΡ‰ΠΈΠ΅ ESNI. 

Kuti zvive pachena, heino dhayagiramu:

Maitiro ekudzivirira yako webhusaiti webhusaiti ne ESNI

Ndinocherechedza kuti proxy yakagadzirwa nekukwanisa kugumisa TLS yekubatanidza pasina ESNI, kutsigira vatengi pasina ESNI. Zvakare, iyo nzira yekutaurirana ine kumusoro kwerukova inogona kunge iri HTTP kana HTTPS ine TLS vhezheni yakaderera pane 1.3 (kana kumusoro kwerwizi kusingatsigire 1.3). Ichi chirongwa chinopa yakanyanya kuchinjika.

Kuitwa kwe ESNI rutsigiro pa go takakwereta kubva CloudFlare. Ndinoda kucherechedza ipapo kuti kuita kwacho hakusi kudiki, nekuti kunosanganisira shanduko muraibhurari yakajairwa. crypto/tls uye nekudaro zvinoda "patching" GOROOT pamberi peungano.

Kugadzira ESNI makiyi ataishandisa esnitool (zvakare iyo brainchild yeCloudFlare). Aya makiyi anoshandiswa SNI encryption/decryption.
Takaedza kuvaka tichishandisa go 1.13 paLinux (Debian, Alpine) uye MacOS. 

Mashoko mashoma pamusoro pemaitiro ekushanda

ESNI reverse proxy inopa metrics muPrometheus fomati, senge rps, upstream latency & mhinduro kodhi, yakundikana/yakabudirira TLS kubata maoko & TLS ruoko rwekureba. Pakutanga kuona, izvi zvaiita sezvakakwana kuongorora kuti proxy inobata sei traffic. 

Isu takaitawo kuyedza kuyera tisati tashandisa. Mhinduro dziri pazasi:

wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.77s     1.21s    7.20s    65.43%
    Req/Sec    13.78      8.84   140.00     83.70%
  206357 requests in 6.00m, 6.08GB read
Requests/sec:    573.07
Transfer/sec:     17.28MB 

Isu takaita zvemhando yepamusoro kuyedza kuenzanisa chirongwa tichishandisa ESNI reverse proxy uye pasina. Isu "takadurura" traffic munharaunda kuitira kuti tibvise "kupindira" muzvikamu zvepakati.

Saka, nerutsigiro rweESNI uye proxying kuenda kumusoro kubva kuHTTP, takawana akatenderedza ~ 550 rps kubva pane imwe nguva, neavhareji CPU/RAM kushandiswa kweESNI reverse proxy:

  • 80% CPU Kushandisa (4 vCPU, 4 GB RAM mauto, Linux)
  • 130 MB Mem RSS

Maitiro ekudzivirira yako webhusaiti webhusaiti ne ESNI

Kuenzanisa, RPS yeiyo nginx yakafanana kukwidza isina TLS (HTTP protocol) kugumiswa ndeye ~ 1100:

wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.11s     2.30s   15.00s    90.94%
    Req/Sec    23.25     13.55   282.00     79.25%
  393093 requests in 6.00m, 11.35GB read
  Socket errors: connect 0, read 0, write 0, timeout 9555
  Non-2xx or 3xx responses: 8111
Requests/sec:   1091.62
Transfer/sec:     32.27MB 

Kuvapo kwekufamba kwenguva kunoratidza kuti pane kushomeka kwezviwanikwa (takashandisa 4 vCPUs, 4 GB RAM mauto, Linux), uye kutaura zvazviri iyo inogona RPS yakakwira (takagamuchira nhamba dzinosvika 2700 RPS pane mamwe masimba ane simba).

Mukupedzisa, ndinocherechedza iyo tekinoroji yeESNI inotaridzika kuva inovimbisa. Pachine mibvunzo yakawanda yakavhurika, semuenzaniso, nyaya dzekuchengeta kiyi yeruzhinji ESNI muDNS uye kutenderera ESNI makiyi - nyaya idzi dziri kukurukurwa zvakanyanya, uye yazvino vhezheni ye ESNI dhizaini (panguva yekunyora) yatove. 7.

Source: www.habr.com

Voeg