Hello Habr, magacaygu waa Ilya, waxaan ka shaqeeyaa kooxda madal ee Exness. Waxaan horumarinaa oo hirgelineynaa qaybaha kaabayaasha aasaasiga ah ee kooxahayada horumarinta wax soo saarka isticmaalaan.
Maqaalkan, waxaan jeclaan lahaa inaan ku wadaago waayo-aragnimadayda hirgelinta tignoolajiyada SNI (ESNI) ee qarsoon ee kaabayaasha mareegaha dadweynaha.

Isticmaalka tignoolajiyadan waxay kordhin doontaa heerka amniga marka lala shaqeynayo mareegaha dadweynaha oo u hoggaansama heerarka amniga gudaha ee ay qaadatay Shirkaddu.
Ugu horreyntii, waxaan jeclaan lahaa in aan tilmaamo in tignoolajiyada aan la jaan qaadin oo ay wali ku jirto qabyo-qoraalka, laakiin CloudFlare iyo Mozilla waxay horeyba u taageereen (in ). Tani waxay nagu dhiirigelisay tijaabadan oo kale.
Qeyb ka mid ah aragti
ESNI waa kordhinta borotokoolka TLS 1.3 kaas oo u oggolaanaya siraynta SNI ee fariinta "Client Hello" ee TLS-gacanta. Waa kan sida uu u ekaado macmiilka Hello taageerada ESNI (halkii SNI-da caadiga ah aan aragno ESNI):

Si aad u isticmaasho ESNI, waxaad u baahan tahay saddex qaybood:
- DNS;
- Taageerada macmiilka;
- Taageerada dhinaca Server-ka.
DNS
Waxaad u baahan tahay inaad ku darto laba diiwaan oo DNS - Aiyo TXT (Diiwaanka TXT wuxuu ka kooban yahay furaha dadweynaha kaas oo macmiilku ku qarin karo SNI) - eeg hoos. Intaa waxaa dheer, waa in la helaa taageero DoH (DNS ka badan HTTPS) sababtoo ah macaamiisha la heli karo (hoos eeg) ma awoodaan taageerada ESNI DoH la'aanteed. Tani waa macquul, maadaama ESNI ay ka dhigan tahay sirta magaca kheyraadka aan galeyno, taas oo ah, macno ma leh in laga galo DNS UDP. Intaa waxaa dheer, isticmaalka Waxay kuu ogolaanaysaa inaad ka ilaaliso weerarada sumowga cache ee dhacdadan.
Hadda la heli karo , iyaga ka mid ah:
CloudFlare (Check My Browser β Encrypted SNI β Wax Badan Baro) in adeegayaashoodu ay horeba u taageeraan ESNI, taas oo ah, adeegayaasha CloudFlare ee DNS-ka waxaanu haynaa ugu yaraan laba diiwaan - A iyo TXT. Tusaalaha hoose waxaan ku weydiineynaa Google DNS (oo ka badan HTTPS):
Π gelida:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT diiwaanka, codsiga waxaa loo abuuray si waafaqsan template ah _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Marka, marka laga eego dhinaca DNS, waa inaan isticmaalnaa DoH (gaar ahaan DNSSEC) oo aan ku darnaa laba gelitaan.
Taageerada macaamiisha
Haddii aan ka hadleyno daalacashada, markaa waqtigan xaadirka ah . Halkan waxaa ah tilmaamo ku saabsan sida loo dhaqaajiyo taageerada ESNI iyo DoH ee FireFox. Kadib browserka la habeeyey, waa inaan aragnaa wax sidan oo kale ah:

si aad u hubiso browserka
Dabcan, TLS 1.3 waa in loo adeegsadaa si loo taageero ESNI, maadaama ESNI ay tahay kordhinta TLS 1.3.
Ujeedada tijaabinta dhabarka dambe ee taageerada ESNI, waxaan ku hirgelinay macmiilka go, Laakin intaas ka dib.
Taageerada dhinaca Server-ka
Hadda, ESNI ma taageeraan adeegayaasha shabakadda sida nginx/apache, iwm., maadaama ay TLS kala shaqeeyaan OpenSSL/BoringSSL, kuwaas oo aan si rasmi ah u taageerin ESNI.
Sidaa darteed, waxaan go'aansanay inaan abuurno qaybtayada hore-dhamaadka (ESNI proxy reverse), kaas oo taageeri doona TLS 1.3 joojinta ESNI iyo proxy HTTP(S) taraafikada korka, taas oo aan taageerin ESNI. Tani waxay u oggolaanaysaa tignoolajiyada in lagu isticmaalo kaabayaal hore u jiray, iyada oo aan la beddelin qaybaha ugu muhiimsan - taas oo ah, isticmaalka shabakadaha hadda jira ee aan taageerin ESNI.
Si loo caddeeyo, halkan waa jaantus:

Waxaan ogsoonahay in wakiilku loo qaabeeyey awood uu ku joojiyo xidhiidhka TLS la'aanteed ESNI, si uu u taageero macaamiisha bilaa ESNI. Sidoo kale, borotokoolka isgaarsiineed ee leh korka wuxuu noqon karaa HTTP ama HTTPS oo leh nooca TLS ee ka hooseeya 1.3 (haddii korku aanu taageerin 1.3). Nidaamkani waxa uu siinayaa dabacsanaanta ugu badan.
Hirgelinta taageerada ESNI go waanu ka soo amaahannay . Waxaan jeclaan lahaa inaan isla markiiba ogaado in hirgelinta lafteedu ay tahay mid aan sahlanayn, maadaama ay ku lug leedahay isbeddelada maktabadda caadiga ah. crypto/tls oo sidaas darteed waxay u baahan tahay "bogsiin" GOROOT ka hor kulanka.
Si aan u soo saarno furayaasha ESNI waxaan isticmaalnay (sidoo kale maskaxdii CloudFlare). Furayaashan waxaa loo isticmaalaa sirta/dejinta SNI.
Waxaan tijaabinay dhismaha annagoo adeegsanayna go 1.13 on Linux (Debian, Alpine) iyo MacOS.
Dhowr eray oo ku saabsan sifooyinka shaqada
ESNI reverse proxy waxay bixisaa cabbiro qaab Prometheus ah, sida rps, daahitaanka sare & koodhadhka jawaabta, gacan-qaadka TLS ee guul-darraystay/guulaystay & muddada gacan-qaadka TLS. Jaleecada hore, tani waxay u muuqatay mid ku filan in la qiimeeyo sida wakiilku u maareeyo taraafikada.
Waxaan sidoo kale samaynay tijaabada culeyska ka hor isticmaalka. Natiijooyinka hoose:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Waxaan sameynay tijaabo culeys tayo leh si aan isku barbar dhigno nidaamka anagoo adeegsanayna ESNI proxy iyo la'aanteed. Waxaan "ku shubnay" taraafikada gudaha si aan meesha uga saarno "faragelinta" qaybaha dhexe.
Marka, annagoo kaashanayna taageerada ESNI iyo wakiil ka noqoshada HTTP, waxaan ka helnay ku dhawaad ββ~ 550 rps hal tusaale, iyadoo celceliska isticmaalka CPU/RAM ee ESNI proxy roga ah:
- Isticmaalka CPU 80% (4 vCPU, 4 GB RAM martigeliyayaal, Linux)
- 130 MB Mem RSS

Marka la barbardhigo, RPS isla nginx kor u kaca iyada oo aan la joojin TLS (HTTP borotokoolka) waa ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' β-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Joogitaanka waqtiga-joojinta waxay muujinaysaa in ay jirto la'aan kheyraad (waxaan isticmaalnay 4 vCPU, 4 GB RAM hosts, Linux), dhab ahaantiina RPS-ka suurtagalka ah wuu ka sarreeyaa (waxaan helnay tirooyin ilaa 2700 RPS ah oo ku saabsan kheyraadka awoodda badan).
Gabagabadii, waxaan xusayaa in tignoolajiyada ESNI ay u muuqato mid rajo leh. Weli waxaa jira su'aalo badan oo furan, tusaale ahaan, arrimaha ku saabsan kaydinta furaha ESNI dadweynaha ee DNS iyo wareejinta furayaasha ESNI - arrimahan ayaa si firfircoon looga hadlayaa, iyo nuqulkii ugu dambeeyay ee ESNI qabyo qoraalka (waqtiga qorista) waa horeba. .
Source: www.habr.com
