Hi Habr, lebitso la ka ke Ilya, ke sebetsa sehlopheng sa sethala sa Exness. Re theha le ho kenya ts'ebetsong likarolo tsa motheo tseo lihlopha tsa rona tsa nts'etsopele ea lihlahisoa li li sebelisang.
Sehloohong sena, ke kopa ho arolelana phihlelo ea ka ea ho kenya ts'ebetsong thekenoloji ea SNI (ESNI) e patiloeng ka mekhoa ea mekhoa ea liwebsaete tsa sechaba.

Tšebeliso ea thekenoloji ena e tla eketsa boemo ba tšireletso ha u sebetsa le websaete ea sechaba le ho lumellana le litekanyetso tsa ka hare tsa tšireletso tse amoheloang ke Khampani.
Pele ho tsohle, ke batla ho bontša hore theknoloji ha e e-s'o be le maemo ebile e ntse e le teng, empa CloudFlare le Mozilla li se li ntse li e tšehetsa (ho ). Sena ke sona se ileng sa re susumelletsa ho etsa teko e joalo.
Taba e seng kae
ESNI - ke katoloso ea protocol ea TLS 1.3 e u lumellang hore u ngole SNI molaetsa oa "Client Hello" oa TLS oa ho ts'oarana ka letsoho. Mona ke hore na Client Hello ea nang le tšehetso ea ESNI e shebahala joang (ho fapana le SNI e tloaelehileng, re bona ESNI):

Ho sebelisa ESNI, ho hlokahala likarolo tse tharo:
- DNS;
- Tšehetso ea bareki;
- Tšehetso ea lehlakoreng la seva.
DNS
U hloka ho eketsa lirekoto tse peli tsa DNS - Ale TXT (Tlaleho ea TXT e na le senotlolo sa sechaba seo moreki a ka ngollang SNI ka sona) - bona ka tlase. Ho phaella moo, ho lokela ho ba le tšehetso DoH (DNS holim'a HTTPS), kaha bareki ba teng (bona ka tlase) ha ba kenye ts'ehetso ea ESNI ntle le DoH. Sena sea utloahala, kaha ESNI e fana ka maikutlo a encryption ea lebitso la mohloli oo re o fumanang, ke hore, ha ho utloahale ho fihlella DNS ka UDP. Ho feta moo, ho sebelisoa e u lumella ho itšireletsa khahlanong le litlhaselo tsa chefo ea cache sebakeng sena.
E fumaneha hajoale , har'a bona:
CloudFlare (Sheba My Browser → Encrypted SNI → Ithute haholoanyane), hore li-server tsa bona li se li tšehetsa ESNI, ke hore, bakeng sa li-server tsa CloudFlare ho DNS re na le bonyane lirekoto tse peli - A le TXT. Mohlaleng o ka tlase, re kopa Google DNS (ho feta HTTPS):
А ho kena:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT rekoto, kopo e hlahisoa ho latela template _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Kahoo, ho latela pono ea DNS, re lokela ho sebelisa DoH (haholo-holo ka DNSSEC) mme re kenye lirekoto tse peli.
Tšehetso ea bareki
Haeba re bua ka li-browser, joale hona joale . litaelo tsa ho kenya ts'ehetso ea ESNI le DoH ho Firefox li fanoe. Kamora hore sebatli se lokisoe, re lokela ho bona ntho e kang ena:

ho hlahloba sebatli.
Ehlile, TLS 1.3 e tlameha ho sebelisoa ho ts'ehetsa ESNI, kaha ESNI ke katoloso ho TLS 1.3.
Ka sepheo sa ho leka backend ka tšehetso ea ESNI, re kentse tšebetsong moreki ho go, empa ho feta moo hamorao.
Tšehetso ea lehlakoreng la seva
Hajoale ESNI ha e tšehetsoe ke li-server tse kang nginx/apache joalo-joalo, kaha li sebetsa le TLS ka OpenSSL/BoringSSL, tse sa tšehetseng ESNI ka molao.
Ke kahoo re entseng qeto ea ho iketsetsa karolo ea rona ea pele (ESNI reverse proxy), e neng e tla tšehetsa ho felisoa ha TLS 1.3 ka ESNI le ho fana ka sephethephethe sa HTTP (S) ho ea holimo, se sa tšehetseng ESNI. Sena se lumella ho sebelisa theknoloji mohahong o seng o ntse o le teng, ntle le ho fetola likarolo tse ka sehloohong - ke hore, ho sebelisa lisebelisoa tsa morao-rao tsa marang-rang tse sa tšehetseng ESNI.
Ho hlakisa, setšoantšo ke sena:

Ke kopa ho hlokomela hore moemeli o entsoe ka bokhoni ba ho felisa khokahanyo ea TLS ntle le ESNI, ho tšehetsa bareki ntle le ESNI. Hape, protocol ea ho buisana le e ka holimo e ka ba HTTP kapa HTTPS e nang le mofuta oa TLS ka tlase ho 1.3 (haeba ho ea holimo ho sa tšehetse 1.3). Sekema sena se fana ka maemo a phahameng haholo.
Ts'ebetsong ea ts'ehetso ea ESNI ka go re alimile ho . Hang-hang ke tla hlokomela hore ts'ebetsong ka boeona ha e na taba, kaha e fana ka maikutlo a liphetoho laebraring e tloaelehileng crypto/tls ka hona e hloka "patching" KHOTSO pele ho kopano.
Ho hlahisa linotlolo tsa ESNI tseo re li sebelisitseng (hape ke pōpo ea CloudFlare). Linotlolo tsena li sebelisetsoa ho notlela/decrypt SNI.
Мы протестировали сборку с использованием go 1.13 на Linux (Debian, Alpine) и MacOS.
Mantsoe a seng makae mabapi le likarolo tsa ts'ebetso
ESNI reverse proxy e fana ka metrics ka sebopeho sa Prometheus, joalo ka rps, upstream latency & response codes, ho hloleha/ho atlehile ho ts'oarana ka matsoho TLS & TLS nako ea ho ts'oarana ka letsoho. Ha u habanya feela, sena se ne se bonahala se lekane ho lekola hore na proxy e sebetsana le sephethephethe joang.
Hape re ile ra etsa tlhahlobo ea thepa pele re e sebelisa. Liphetho li ka tlase:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Re entse tlhahlobo ea mojaro oa boleng bo holimo ho bapisa leano le ntle le proxy ea ESNI reverse. Re "tšela" sephethephethe sebakeng sa heno ho felisa "tšitiso" likarolong tse mahareng.
Kahoo, ka tšehetso ea ESNI le proxying e holimo ka HTTP, re na le ~ 550 rps ho tloha ketsahalong e le 'ngoe, ka karolelano ea tšebeliso ea CPU/RAM ea ESNI reverse proxy:
- 80% CPU Usage (4 vCPU, 4 GB RAM хосты, Linux)
- 130 MB Mem RSS

Ha ho bapisoa, RPS bakeng sa nginx e ts'oanang holimo ntle le ho felisoa ha TLS (HTTP protocol) ke ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Наличие таймаутов говорит о том, что есть нехватка ресурсов (мы использовали 4 vCPU, 4 GB RAM хосты, Linux), и по факту потенциальный RPS выше (мы получали цифры до 2700 RPS на более мощных ресурсах).
Qetellong, ke rata ho hlokomela seo hore theknoloji ea ESNI e shebahala e ts'episa haholo. Ho ntse ho e-na le lipotso tse ngata tse bulehileng, mohlala, litaba tsa ho boloka senotlolo sa sechaba sa ESNI ho DNS le ho potoloha linotlolo tsa ESNI - litaba tsena li tšohloa ka mafolofolo, 'me phetolelo ea morao-rao ea moralo (nakong ea ho ngola) ea ESNI e se e ntse e tsoela pele. .
Source: www.habr.com
