Webhu HighLoad - maitiro atinoita traffic yemakumi ezviuru emadomasi

Kufamba kwepamutemo paDDoS-Guard network munguva pfupi yapfuura yakapfuura zana regigabits pasekondi. Parizvino, 50% yetraffic yedu yese inogadzirwa nevatengi vewebhu masevhisi. Aya akawanda makumi ezviuru zvemadomasi, akasiyana zvakanyanya uye kazhinji anoda maitiro emunhu.

Pazasi pekuchekwa ndiyo mabatiro atinoita node dzemberi uye kupa SSL zvitupa zvemazana ezviuru zvesaiti.

Kumisikidza kumberi kune imwe saiti, kunyangwe yakakura kwazvo, iri nyore. Isu tinotora nginx kana haproxy kana lighttpd, gadzirisa iyo maererano nemadhairekitori uye kanganwa nezvazvo. Kana isu tichida kushandura chimwe chinhu, tinoita reload uye kukanganwa zvakare.

Zvese zvinoshanduka kana iwe uchigadzira mavhoriyamu makuru emota panhunzi, ongorora huchokwadi hwezvikumbiro, compress uye cache zvemukati zvemushandisi, uye panguva imwechete shandura maparamita kakawanda pasekondi. Mushandisi anoda kuona mhedzisiro pane ese ekunze node pakarepo mushure mekunge achinja marongero muakaundi yake yega. Mushandisi anogona zvakare kudhawunirodha zviuru zvinoverengeka (uye dzimwe nguva makumi ezviuru) madomasi ane ega ega traffic yekugadzirisa paramita kuburikidza neAPI. Zvose izvi zvinofanirawo kushanda pakarepo muAmerica, uye muEurope, uye muAsia - basa racho harisi iro rakanyanyisa, tichifunga kuti muMoscow chete kune dzakawanda dzakaparadzana dzefiltration nodes.

Neiko kuine node huru dzakawanda dzakavimbika pasi rose?

• Hunhu hwesevhisi yetraffic yevatengi - zvikumbiro kubva kuUSA zvinoda kugadziriswa muUSA (kusanganisira kurwiswa, kupatsanura uye zvimwe zvinokanganisa), uye kwete kudhonzwa kuMoscow kana kuEurope, zvisingafungidzike zvichiwedzera kunonoka kugadzirisa.

• Attack traffic inofanirwa kugariswa - vafambisi vekufambisa vanogona kudzikisira panguva yekurwiswa, huwandu hwayo hunowanzopfuura 1Tbps. Kutakura kurwisa traffic pamusoro petransatlantic kana transasian link haisi zano rakanaka. Takava nezviitiko chaizvo apo vashandi veTier-1 vakati: "Kurwiswa kwaunogamuchira kune njodzi kwatiri." Ndosaka tichitambira nzizi dzinopinda pedyo nekwadzinobvira.

• Zvakasimba zvinodikanwa zvekuenderera mberi kwesevhisi - nzvimbo dzekuchenesa hadzifanirwe kutsamira pane imwe neimwe kana pane zviitiko zvemuno munyika yedu iri kukurumidza kuchinja. Wakagura simba kune ese gumi nerimwe pasi eMMTS-11 kwevhiki? - hapana dambudziko. Hapana mutengi mumwechete asina kubatana kwemuviri munzvimbo ino achatambura, uye masevhisi ewebhu haatambure chero mamiriro ezvinhu.

Nzira yekugadzirisa sei izvi zvose?

Kugadziriswa kwesevhisi kunofanirwa kugoverwa kune ese kumberi node nekukurumidza sezvinobvira (zvakanakira ipapo ipapo). Iwe haugone kungotora uye kuvakazve mameseji configs uye kutangazve madhimoni pane yega shanduko - iyo nginx yakafanana inochengeta maitiro achivharika (mushandi achivhara) kwemamwe maminetsi mashoma (kana pamwe maawa kana paine marefu websocket zvikamu).

Paunenge uchirodha iyo nginx kumisikidzwa, iyo inotevera pikicha yakajairika:

Pamusoro pekushandisa ndangariro:

Vashandi vekare vanodya ndangariro, kusanganisira ndangariro isingaenderane nehuwandu hwekubatanidza - izvi zvakajairika. Kana maclient connections akavharwa, memory iyi inosunungurwa.

Sei iyi yanga isiri nyaya apo nginx yakanga ichangotanga? Pakanga pasina HTTP / 2, hapana WebSocket, hapana yakakura-yakareba-inongedzo yekubatanidza. 70% yewebhu traffic yedu ndeye HTTP/2, zvinoreva kuti yakareba kubatana.

Mhinduro iri nyore - usashandise nginx, usabate mafronts zvichienderana nemameseji mafaera, uye zvechokwadi usatumire zipped text zvigadziriso pamusoro pe transpacific chiteshi. Iwo machani, hongu, akavimbiswa uye akachengetwa, asi izvo hazviite kuti iwo aite kushoma transcontinental.

Isu tine yedu yepamberi server-balancer, iyo yemukati yandichataura nezvayo mune zvinotevera zvinyorwa. Chinhu chikuru chaanogona kuita ndechokuisa zviuru zvekuchinja kwesekondi pasekondi, pasina kutangazve, kurodhazve, kuwedzera kamwe kamwe mukushandiswa kwendangariro, uye zvese izvo. Izvi zvakafanana neHot Code Reload, semuenzaniso muErlang. Iyo data inochengetwa mune geo-yakagoverwa kiyi-kukosha dhatabhesi uye inoverengwa nekukasira nevemberi actuators. Avo. unorodha chitupa cheSSL kuburikidza newebhu interface kana API muMoscow, uye mumasekonzi mashoma yagadzirira kuenda kunzvimbo yedu yekuchenesa muLos Angeles. Kana hondo yenyika ikangoerekana yaitika uye Indaneti inonyangarika pasi rose, node dzedu dzicharamba dzichishanda dzakasununguka uye kugadzirisa uropi hwakaparadzana nokukurumidza seimwe yezviteshi zvakatsaurirwa Los Angeles-Amsterdam-Moscow, Moscow-Amsterdam-Hong Kong- Los-Los inowanikwa. Angeles kana ingangoita imwe yeGRE backup overlays.

Iyi meshini imwe chete inotitendera kuti tingoburitsa uye nekuvandudza Let's Encrypt zvitupa. Zvakanyanya nyore zvinoshanda seizvi:

1. Tichingoona chikumbiro chimwe chete cheHTTPS chedunhu remutengi wedu pasina chitupa (kana nechitupa chakapera), iyo node yekunze yakagamuchira chikumbiro inoshuma izvi kune vemukati certification chiremera.

   

2. Kana mushandisi asina kurambidza kuburitswa kweLet Encrypt, iyo certification chiremera inogadzira CSR, inogamuchira chiratidzo chekusimbisa kubva kuLE uye inoitumira kumafaro ese pamusoro peiyo encrypted chiteshi. Iye zvino chero node inogona kusimbisa chikumbiro chekusimbisa kubva ku LE.

   

3. Munguva shoma, isu tinogashira chaiyo chitupa uye yakavanzika kiyi uye toitumira kune kumberi nenzira imwecheteyo. Zvekare, pasina kutangazve madhimoni

   

4. Mazuva 7 zuva rekupera risati rasvika, nzira yekugamuchirazve chitupa inotangwa

Parizvino tiri kutenderedza 350k zvitupa munguva chaiyo, zviri pachena kune vashandisi.

Muzvinyorwa zvinotevera zveiyi dzakateerana, ini ndichataura nezve mamwe maficha e-chaiyo-nguva kugadzirisa kwehombe yewebhu traffic - semuenzaniso, nezve kuongorora RTT uchishandisa isina kukwana data kuvandudza kunaka kwesevhisi yevatengi vanofamba uye kazhinji nezve kuchengetedza traffic yekufambisa kubva. terabit kurwiswa, nezve kuendesa uye kuunganidzwa kweruzivo rwetraffic, nezve WAF, inenge isina muganho CDN uye akawanda masisitimu ekugonesa kuburitsa zvemukati.

Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. Nyorera mu, Munogamuchirwa.

Chii chaungada kuziva kutanga?

• 14,3%Algorithms yekubatanidza uye kuongorora kunaka kwewebhu traffic <3

• 33,3%Zvemukati zveDDoS-Guard7 mabharani

• 9,5%Dziviriro yekufambisa L3/L4 traffic2

• 0,0%Kuchengetedza mawebhusaiti pane zvekufambisa traffic0

• 14,3%Webhu Chishandiso Firewall3

• 28,6%Dziviriro kubva pakupatsanurwa nekudzvanya6

21 vashandisi vakavhota. 6 vashandisi vakaramba.

Source: www.habr.com