Mhoro Habr, zita rangu ndinonzi Ilya, ndinoshanda muchikwata chepuratifomu kuExness. Isu tinogadzira uye nekushandisa izvo zvakakosha zvivakwa zvinoshandiswa nezvikwata zvedu zvekuvandudza zvigadzirwa.
Muchinyorwa chino, ndinoda kugovera ruzivo rwangu rwekushandisa encrypted SNI (ESNI) tekinoroji mune zvivakwa zveveruzhinji mawebhusaiti.

Kushandiswa kweiyi tekinoroji kuchawedzera mwero wekuchengetedza kana uchishanda newebhusaiti yeruzhinji uye kutevedzera zviyero zvekuchengetedza zvemukati zvakagamuchirwa neKambani.
Chekutanga, ndinoda kuratidza kuti tekinoroji haina kumira uye ichiri mugwaro, asi CloudFlare neMozilla vatoitsigira (mu. ) Izvi zvakatikurudzira kuedza kwakadaro.
Chimwe chezvinyorwa
ESNI ndeyekuwedzera kune TLS 1.3 protocol inobvumira SNI encryption muTLS kubata ruoko "Client Mhoro" meseji. Hezvino izvo Mutengi Mhoro anotaridzika nerutsigiro rweESNI (panzvimbo peyakajairika SNI tinoona ESNI):

Kuti ushandise ESNI, unoda zvinhu zvitatu:
- DNS;
- Client support;
- Server side support.
DNS
Iwe unofanirwa kuwedzera maviri DNS marekodhi - Auye TXT (Iyo TXT rekodhi ine kiyi yeruzhinji iyo mutengi anogona encrypt SNI) - ona pazasi. Mukuwedzera, panofanira kuva nerutsigiro DoH (DNS pamusoro peHTTPS) nekuti vatengi varipo (ona pazasi) havagone ESNI rutsigiro pasina DoH. Izvi zvine musoro, sezvo ESNI ichireva encryption yezita resource yatiri kuwana, kureva kuti, hazvina musoro kuwana DNS pamusoro peUDP. Uyezve, kushandiswa inokutendera iwe kudzivirira kubva kune cache chepfu kurwiswa mune ino mamiriro.
Iripo parizvino , pakati pavo:
CloudFlare (Tarisa My Browser β Encrypted SNI β Dzidza Zvakawanda) kuti maseva avo anototsigira ESNI, kureva kuti, yeCloudFlare maseva muDNS isu tine marekodhi maviri - A uye TXT. Mumuenzaniso uri pazasi tinobvunza Google DNS (pamusoro peHTTPS):
Π kupinda:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT rekodhi, chikumbiro chinogadzirwa zvinoenderana netemplate _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Saka, kubva pamaonero eDNS, isu tinofanirwa kushandisa DoH (zvichida neDNSSEC) uye towedzera zvinyorwa zviviri.
Tsigiro yemutengi
Kana isu tiri kutaura nezve browsers, saka panguva ino . Heano mirairo yemaitiro ekuita ESNI neDoH rutsigiro muFirefox. Mushure mekunge browser yagadziriswa, tinofanira kuona chimwe chinhu chakadai:

kutarisa browser.
Ehe, TLS 1.3 inofanirwa kushandiswa kutsigira ESNI, sezvo ESNI iri yekuwedzera kuTLS 1.3.
Nechinangwa chekuyedza iyo backend nerutsigiro rweESNI, takaisa mutengi pa go, Asi zvakawanda pamusoro pazvo gare gare.
Server side support
Parizvino, ESNI haitsigirwe nemaseva ewebhu senginx/apache, nezvimwewo, sezvo vachishanda neTLS kuburikidza neOpenSSL/BoringSSL, isingatsigire zviri pamutemo ESNI.
Naizvozvo, takasarudza kugadzira yedu yekumberi-yekupedzisira chikamu (ESNI reverse proxy), iyo yaizotsigira TLS 1.3 kugumiswa neESNI uye proxy HTTP (S) traffic kuenda kumusoro, iyo isingatsigire ESNI. Izvi zvinobvumira tekinoroji kuti ishandiswe mune yagara iripo, pasina kushandura zvikamu zvikuru - ndiko kuti, kushandisa mawebhusaiti azvino asingatsigire ESNI.
Kuti zvive pachena, heino dhayagiramu:

Ndinocherechedza kuti proxy yakagadzirwa nekukwanisa kugumisa TLS yekubatanidza pasina ESNI, kutsigira vatengi pasina ESNI. Zvakare, iyo nzira yekutaurirana ine kumusoro kwerukova inogona kunge iri HTTP kana HTTPS ine TLS vhezheni yakaderera pane 1.3 (kana kumusoro kwerwizi kusingatsigire 1.3). Ichi chirongwa chinopa yakanyanya kuchinjika.
Kuitwa kwe ESNI rutsigiro pa go takakwereta kubva . Ndinoda kucherechedza ipapo kuti kuita kwacho hakusi kudiki, nekuti kunosanganisira shanduko muraibhurari yakajairwa. crypto/tls uye nekudaro zvinoda "patching" GOROOT pamberi peungano.
Kugadzira ESNI makiyi ataishandisa (zvakare iyo brainchild yeCloudFlare). Aya makiyi anoshandiswa SNI encryption/decryption.
Takaedza kuvaka tichishandisa go 1.13 on Linux (Debian, Alpine) uye MacOS.
Mashoko mashoma pamusoro pemaitiro ekushanda
ESNI reverse proxy inopa metrics muPrometheus fomati, senge rps, upstream latency & mhinduro kodhi, yakundikana/yakabudirira TLS kubata maoko & TLS ruoko rwekureba. Pakutanga kuona, izvi zvaiita sezvakakwana kuongorora kuti proxy inobata sei traffic.
Isu takaitawo kuyedza kuyera tisati tashandisa. Mhinduro dziri pazasi:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Isu takaita zvemhando yepamusoro kuyedza kuenzanisa chirongwa tichishandisa ESNI reverse proxy uye pasina. Isu "takadurura" traffic munharaunda kuitira kuti tibvise "kupindira" muzvikamu zvepakati.
Saka, nerutsigiro rweESNI uye proxying kuenda kumusoro kubva kuHTTP, takawana akatenderedza ~ 550 rps kubva pane imwe nguva, neavhareji CPU/RAM kushandiswa kweESNI reverse proxy:
- Kushandiswa kweCPU kwe80% (4 vCPU, 4 GB RAM hosts, Linux)
- 130 MB Mem RSS

Kuenzanisa, RPS yeiyo nginx yakafanana kukwidza isina TLS (HTTP protocol) kugumiswa ndeye ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' β-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Kuvapo kwe timeouts kunoratidza kuti pane kushomeka kwezvishandiso (takashandisa 4 vCPU, 4 GB RAM hosts, Linux), uye kutaura chokwadi mukana wekuti RPS isvike pa2700 RPS pazvinhu zvine simba zvakanyanya).
Mukupedzisa, ndinocherechedza iyo tekinoroji yeESNI inotaridzika kuva inovimbisa. Pachine mibvunzo yakawanda yakavhurika, semuenzaniso, nyaya dzekuchengeta kiyi yeruzhinji ESNI muDNS uye kutenderera ESNI makiyi - nyaya idzi dziri kukurukurwa zvakanyanya, uye yazvino vhezheni ye ESNI dhizaini (panguva yekunyora) yatove. .
Source: www.habr.com
