Mhoro Habr, zita rangu ndinonzi Ilya, ndinoshanda muchikwata chepuratifomu kuExness. Isu tinogadzira uye nekushandisa izvo zvakakosha zvivakwa zvinoshandiswa nezvikwata zvedu zvekuvandudza zvigadzirwa.
Muchinyorwa chino, ndinoda kugovera ruzivo rwangu rwekushandisa encrypted SNI (ESNI) tekinoroji mune zvivakwa zveveruzhinji mawebhusaiti.
Kushandiswa kweiyi tekinoroji kuchawedzera mwero wekuchengetedza kana uchishanda newebhusaiti yeruzhinji uye kutevedzera zviyero zvekuchengetedza zvemukati zvakagamuchirwa neKambani.
Chekutanga, ndinoda kuratidza kuti tekinoroji haina kumira uye ichiri mugwaro, asi CloudFlare neMozilla vatoitsigira (mu.
Chimwe chezvinyorwa
ESNI ndeyekuwedzera kune TLS 1.3 protocol inobvumira SNI encryption muTLS kubata ruoko "Client Mhoro" meseji. Hezvino izvo Mutengi Mhoro anotaridzika nerutsigiro rweESNI (panzvimbo peyakajairika SNI tinoona ESNI):
Kuti ushandise ESNI, unoda zvinhu zvitatu:
- DNS;
- Client support;
- Server side support.
DNS
Iwe unofanirwa kuwedzera maviri DNS marekodhi - Auye TXT (Iyo TXT rekodhi ine kiyi yeruzhinji iyo mutengi anogona encrypt SNI) - ona pazasi. Mukuwedzera, panofanira kuva nerutsigiro DoH (DNS pamusoro peHTTPS) nekuti vatengi varipo (ona pazasi) havagone ESNI rutsigiro pasina DoH. Izvi zvine musoro, sezvo ESNI ichireva encryption yezita resource yatiri kuwana, kureva kuti, hazvina musoro kuwana DNS pamusoro peUDP. Uyezve, kushandiswa
Iripo parizvino
CloudFlare
Π kupinda:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT rekodhi, chikumbiro chinogadzirwa zvinoenderana netemplate _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Saka, kubva pamaonero eDNS, isu tinofanirwa kushandisa DoH (zvichida neDNSSEC) uye towedzera zvinyorwa zviviri.
Tsigiro yemutengi
Kana isu tiri kutaura nezve browsers, saka panguva ino
Ehe, TLS 1.3 inofanirwa kushandiswa kutsigira ESNI, sezvo ESNI iri yekuwedzera kuTLS 1.3.
Nechinangwa chekuyedza iyo backend nerutsigiro rweESNI, takaisa mutengi pa go, Asi zvakawanda pamusoro pazvo gare gare.
Server side support
Parizvino, ESNI haitsigirwe nemaseva ewebhu senginx/apache, nezvimwewo, sezvo vachishanda neTLS kuburikidza neOpenSSL/BoringSSL, isingatsigire zviri pamutemo ESNI.
ΠΠΎΡΡΠΎΠΌΡ ΠΌΡ ΡΠ΅ΡΠΈΠ»ΠΈ ΡΠΎΠ·Π΄Π°ΡΡ ΡΠ²ΠΎΠΉ front-end ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½Ρ (ESNI reverse proxy), ΠΊΠΎΡΠΎΡΡΠΉ Π±Ρ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π» ΡΠ΅ΡΠΌΠΈΠ½Π°ΡΠΈΡ TLS 1.3 Ρ ESNI ΠΈ ΠΏΡΠΎΠΊΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ HTTP(S) ΡΡΠ°ΡΡΠΈΠΊΠ° Π½Π° Π°ΠΏΡΡΡΠΈΠΌ, Π½Π΅ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡΠΈΠΉ ESNI. ΠΡΠΎ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΠΏΡΠΈΠΌΠ΅Π½ΡΡΡ ΡΠ΅Ρ Π½ΠΎΠ»ΠΎΠ³ΠΈΡ Π² ΡΠΆΠ΅ ΡΠ»ΠΎΠΆΠΈΠ²ΡΠ΅ΠΉΡΡ ΠΈΠ½ΡΡΠ°ΡΡΡΡΠΊΡΡΡΠ΅, Π±Π΅Π· ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΎΡΠ½ΠΎΠ²Π½ΡΡ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΠΎΠ² β ΡΠΎ Π΅ΡΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΡΠ΅ΠΊΡΡΠΈΠ΅ web-ΡΠ΅ΡΠ²Π΅ΡΡ, Π½Π΅ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡΠΈΠ΅ ESNI.
Kuti zvive pachena, heino dhayagiramu:
Ndinocherechedza kuti proxy yakagadzirwa nekukwanisa kugumisa TLS yekubatanidza pasina ESNI, kutsigira vatengi pasina ESNI. Zvakare, iyo nzira yekutaurirana ine kumusoro kwerukova inogona kunge iri HTTP kana HTTPS ine TLS vhezheni yakaderera pane 1.3 (kana kumusoro kwerwizi kusingatsigire 1.3). Ichi chirongwa chinopa yakanyanya kuchinjika.
Kuitwa kwe ESNI rutsigiro pa go takakwereta kubva
Kugadzira ESNI makiyi ataishandisa
Takaedza kuvaka tichishandisa go 1.13 paLinux (Debian, Alpine) uye MacOS.
Mashoko mashoma pamusoro pemaitiro ekushanda
ESNI reverse proxy inopa metrics muPrometheus fomati, senge rps, upstream latency & mhinduro kodhi, yakundikana/yakabudirira TLS kubata maoko & TLS ruoko rwekureba. Pakutanga kuona, izvi zvaiita sezvakakwana kuongorora kuti proxy inobata sei traffic.
Isu takaitawo kuyedza kuyera tisati tashandisa. Mhinduro dziri pazasi:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Isu takaita zvemhando yepamusoro kuyedza kuenzanisa chirongwa tichishandisa ESNI reverse proxy uye pasina. Isu "takadurura" traffic munharaunda kuitira kuti tibvise "kupindira" muzvikamu zvepakati.
Saka, nerutsigiro rweESNI uye proxying kuenda kumusoro kubva kuHTTP, takawana akatenderedza ~ 550 rps kubva pane imwe nguva, neavhareji CPU/RAM kushandiswa kweESNI reverse proxy:
- 80% CPU Kushandisa (4 vCPU, 4 GB RAM mauto, Linux)
- 130 MB Mem RSS
Kuenzanisa, RPS yeiyo nginx yakafanana kukwidza isina TLS (HTTP protocol) kugumiswa ndeye ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' β-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Kuvapo kwekufamba kwenguva kunoratidza kuti pane kushomeka kwezviwanikwa (takashandisa 4 vCPUs, 4 GB RAM mauto, Linux), uye kutaura zvazviri iyo inogona RPS yakakwira (takagamuchira nhamba dzinosvika 2700 RPS pane mamwe masimba ane simba).
Mukupedzisa, ndinocherechedza iyo tekinoroji yeESNI inotaridzika kuva inovimbisa. Pachine mibvunzo yakawanda yakavhurika, semuenzaniso, nyaya dzekuchengeta kiyi yeruzhinji ESNI muDNS uye kutenderera ESNI makiyi - nyaya idzi dziri kukurukurwa zvakanyanya, uye yazvino vhezheni ye ESNI dhizaini (panguva yekunyora) yatove.
Source: www.habr.com