Mokhoa oa ho sireletsa sebaka sa hau sa Marang-rang ka ESNI

Hello Habr, lebitso la ka ke Ilya, ke sebetsa sehlopheng sa sethaleng sa Exness. Re theha le ho kenya ts'ebetsong likarolo tsa mantlha tseo lihlopha tsa rona tsa nts'etsopele ea lihlahisoa li li sebelisang.

Sehloohong sena, ke kopa ho arolelana phihlelo ea ka ea ho kenya ts'ebetsong thekenoloji ea SNI (ESNI) e patiloeng ka mekhoa ea mekhoa ea liwebsaete tsa sechaba.

Tšebeliso ea thekenoloji ena e tla eketsa boemo ba ts'ireletso ha u sebetsa le websaete ea sechaba le ho lumellana le litekanyetso tsa ka hare tsa tšireletso tse amoheloang ke Khampani.

Pele ho tsohle, ke rata ho supa hore theknoloji ha e ea tloaeleha 'me e ntse e sebelisoa, empa CloudFlare le Mozilla li se li ntse li e tšehetsa (ho moralo01). Sena se ile sa re susumelletsa ho etsa teko e joalo.

Taba e seng kae

ESNI ke katoloso ea protocol ea TLS 1.3 e lumellang ho ngolisoa ha SNI ho molaetsa oa TLS oa "Client Hello". Mona ke hore na Client Hello e shebahala joang ka tšehetso ea ESNI (ho e-na le SNI e tloaelehileng eo re e bonang ESNI):

 Ho sebelisa ESNI, o hloka likarolo tse tharo:

• DNS; 
• Tšehetso ea bareki;
• Tšehetso ea lehlakoreng la seva.

DNS

U hloka ho eketsa lirekoto tse peli tsa DNS - Ale TXT (Rekoto ea TXT e na le senotlolo sa sechaba seo moreki a ka ngollang SNI ka sona) - bona ka tlase. Ho phaella moo, ho tlameha ho ba le tšehetso DoH (DNS holim'a HTTPS) hobane bareki ba teng (bona ka tlase) ha ba lumelle tšehetso ea ESNI ntle le DoH. Sena sea utloahala, kaha ESNI e fana ka maikutlo a ho ngolisoa ha lebitso la mohloli oo re o fumanang, ke hore, ha ho utloahale ho fihlella DNS ka UDP. Ho feta moo, tšebeliso DNSSEC e u lumella ho itšireletsa khahlanong le litlhaselo tsa chefo ea cache sebakeng sena.

E fumaneha hajoale bafani ba bangata ba DoH, har'a bona:

• CloudFlare
• OpenDNS
• Google

CloudFlare ea phatlalatsa (Sheba My Browser → Encrypted SNI → Ithute haholoanyane) hore li-server tsa bona li se li tšehetsa ESNI, ke hore, bakeng sa li-server tsa CloudFlare ho DNS re na le bonyane lirekoto tse peli - A le TXT. Mohlaleng o ka tlase re botsa Google DNS (ho feta HTTPS): 

А ho kena:

curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "www.cloudflare.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.210.9"
    },
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.209.9"
    }
  ]
}

TXT rekoto, kopo e hlahisoa ho latela template _esni.FQDN:

curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16
    }
  ],
  "Answer": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16,
    "TTL": 1799,
    "data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
    }
  ],
  "Comment": "Response from 2400:cb00:2049:1::a29f:209."
}

Kahoo, ho latela pono ea DNS, re lokela ho sebelisa DoH (haholo-holo ka DNSSEC) mme re kenye tse peli. 

Tšehetso ea bareki

Haeba re bua ka li-browser, joale hona joale tšehetso e kengoa ts'ebetsong feela ho Firefox. ke Litaelo tsa hore na u ka kenya ts'ehetso ea ESNI le DoH joang ho Firefox ke tsena. Kamora hore sebatli se lokisoe, re lokela ho bona ntho e kang ena:

kgokahanyo ho hlahloba sebatli.

Ehlile, TLS 1.3 e tlameha ho sebelisoa ho ts'ehetsa ESNI, kaha ESNI ke katoloso ho TLS 1.3.

Ka sepheo sa ho leka backend ka tšehetso ea ESNI, re kentse tšebetsong moreki ho go, Empa ho feta moo hamorao.

Tšehetso ea lehlakoreng la seva

Hajoale, ESNI ha e tšehetsoe ke li-server tse kang nginx/apache, joalo-joalo, kaha li sebetsa le TLS ka OpenSSL/BoringSSL, tse sa tšehetseng ESNI ka molao.

Ka hona, re ile ra etsa qeto ea ho iketsetsa karolo ea rona ea pele-pele (ESNI reverse proxy), e neng e tla tšehetsa ho felisoa ha TLS 1.3 ka ESNI le proxy HTTP (S) sephethephethe ho ea holimo, e sa tšehetseng ESNI. Sena se lumella theknoloji hore e sebelisoe mohahong o seng o ntse o le teng, ntle le ho fetola likarolo tse ka sehloohong - ke hore, ho sebelisa lisebelisoa tsa morao-rao tsa marang-rang tse sa tšehetseng ESNI. 

Ho hlakisa, setšoantšo ke sena:

Kea hlokomela hore moemeli o entsoe ka bokhoni ba ho felisa khokahanyo ea TLS ntle le ESNI, ho tšehetsa bareki ntle le ESNI. Hape, protocol ea puisano e holimo e ka ba HTTP kapa HTTPS e nang le mofuta oa TLS o ka tlaase ho 1.3 (haeba holimo ho sa tšehetse 1.3). Sekema sena se fana ka maemo a phahameng haholo.

Ts'ebetsong ea ts'ehetso ea ESNI ka go re alimile ho CloudFlare. Ke rata ho hlokomela hang-hang hore ts'ebetsong ka boeona ha se ntho e nyenyane, kaha e kenyelletsa liphetoho laebraring e tloaelehileng. crypto/tls ka hona e hloka "patching" KHOTSO pele ho kopano.

Ho hlahisa linotlolo tsa ESNI tseo re li sebelisitseng esnitool (hape ke brainchild ea CloudFlare). Linotlolo tsena li sebelisetsoa SNI encryption/decryption.
Re lekile moaho re sebelisa go 1.13 ho Linux (Debian, Alpine) le MacOS. 

Mantsoe a seng makae mabapi le likarolo tsa ts'ebetso

ESNI reverse proxy e fana ka metrics ka sebopeho sa Prometheus, joalo ka rps, upstream latency & response codes, ho hloleha/ho atlehile ho ts'oarana ka matsoho TLS & TLS nako ea ho ts'oarana ka letsoho. Ha u habanya feela, sena se ne se bonahala se lekane ho lekola hore na proxy e sebetsana le sephethephethe joang. 

Hape re ile ra etsa tlhahlobo ea boima pele re sebelisoa. Liphetho tse ka tlase:

wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.77s     1.21s    7.20s    65.43%
    Req/Sec    13.78      8.84   140.00     83.70%
  206357 requests in 6.00m, 6.08GB read
Requests/sec:    573.07
Transfer/sec:     17.28MB 

Re entse liteko tsa boleng bo holimo ho bapisa leano re sebelisa proxy ea ESNI reverse le ntle le. Re "tšela" sephethephethe sebakeng sa heno e le hore re felise "tšitiso" likarolong tse mahareng.

Kahoo, ka tšehetso ea ESNI le proxy ho nyolohela holimo le HTTP, re na le ~ 550 rps ho tloha ketsahalong e le 'ngoe, ka karolelano ea tšebeliso ea CPU/RAM ea proxy e ka morao ea ESNI:

• 80% Tšebeliso ea CPU (4 vCPU, 4 GB RAM mabotho, Linux)
• 130 MB Mem RSS

Ha ho bapisoa, RPS bakeng sa nginx e ts'oanang holimo ntle le TLS (HTTP protocol) ho felisoa ke ~ 1100:

wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.11s     2.30s   15.00s    90.94%
    Req/Sec    23.25     13.55   282.00     79.25%
  393093 requests in 6.00m, 11.35GB read
  Socket errors: connect 0, read 0, write 0, timeout 9555
  Non-2xx or 3xx responses: 8111
Requests/sec:   1091.62
Transfer/sec:     32.27MB 

Ho ba teng ha nako ho bontša hore ho na le khaello ea lisebelisoa (re sebelisitse 4 vCPUs, 4 GB RAM mabotho, Linux), 'me ha e le hantle RPS e ka bang teng e phahame (re fumane lipalo tse fihlang ho 2700 RPS ka mehloli e matla haholoanyane).

Qetellong, kea hlokomela hore theknoloji ea ESNI e shebahala e ts'episa haholo. Ho ntse ho e-na le lipotso tse ngata tse bulehileng, mohlala, litaba tsa ho boloka senotlolo sa sechaba sa ESNI ho DNS le ho potoloha linotlolo tsa ESNI - litaba tsena li ntse li tšohloa ka mafolofolo, 'me phetolelo ea morao-rao ea moralo oa ESNI (nakong ea ho ngola) e se e ntse e tsoela pele. 7.

Source: www.habr.com