Uyikhusela njani iwebhusayithi yakho yoluntu nge-ESNI

Molo uHabr, igama lam ngu-Ilya, ndisebenza kwiqela leqonga e-Exness. Siphuhlisa kwaye siphumeze amacandelo asisiseko asetyenziswa ngamaqela ethu ophuhliso lwemveliso.

Kweli nqaku, ndingathanda ukwabelana ngamava am okuphumeza iteknoloji ye-SNI (ESNI) efihliweyo kwiziseko zewebhusayithi zoluntu.

Uyikhusela njani iwebhusayithi yakho yoluntu nge-ESNI

Ukusetyenziswa kobu buchwepheshe kuya kwandisa inqanaba lokhuseleko xa usebenza newebhusayithi yoluntu kwaye uthobela imigangatho yokhuseleko lwangaphakathi olwamkelwe yiNkampani.

Okokuqala, ndingathanda ukubonisa ukuba itekhnoloji ayilungelelaniswanga kwaye isekuyilo, kodwa i-CloudFlare kunye neMozilla sele iyixhasa (kwi-. idrafti01). Oku kwasikhuthaza kuvavanyo olunjalo.

Ingcamango ethile

ESNI lulwandiso kwi TLS 1.3 umthetho olandelwayo ovumela uguqulelo oluntsonkothileyo lwe-SNI kwi-TLS yokuxhawula ngesandla "Molo womxhasi" umyalezo. Nantsi into ekhangeleka ngathi i-Client Hello ngenkxaso ye-ESNI (endaweni ye-SNI eqhelekileyo sibona i-ESNI):

Uyikhusela njani iwebhusayithi yakho yoluntu nge-ESNI

 Ukusebenzisa i-ESNI, udinga amacandelo amathathu:

  • I-DNS; 
  • Inkxaso yomthengi;
  • Inkxaso yecala lomncedisi.

DNS

Kuya kufuneka wongeze iirekhodi ezimbini zeDNS- Akwaye TXT (Irekhodi ye-TXT iqulethe isitshixo sikawonke-wonke apho umxhasi angakwazi ukufihla i-SNI) - bona ngezantsi. Ukongeza, kufuneka kubekho inkxaso DoH (i-DNS phezu kwe-HTTPS) kuba abaxhasi abakhoyo (bona ngezantsi) abavumeli inkxaso ye-ESNI ngaphandle kwe-DoH. Oku kunengqiqo, kuba i-ESNI ithetha ukubethelwa kwegama lomthombo esiwufumanayo, oko kukuthi, akukho ngqiqo ukufikelela kwi-DNS phezu kwe-UDP. Ngaphezu koko, ukusetyenziswa DNSSEC ikuvumela ukuba ukhusele kuhlaselo lwetyhefu ye-cache kule meko.

Iyafumaneka ngoku ababoneleli abaninzi be-DoH, phakathi kwabo:

CloudFlare lichaza (Jonga i-Browser yam β†’ I-Encrypted SNI β†’ Funda Ngakumbi) ukuba abancedisi babo sele bexhasa i-ESNI, oko kukuthi, kwiiseva ze-CloudFlare kwi-DNS sineerekhodi ezimbini ubuncinane - A kunye ne-TXT. Kulo mzekelo ungezantsi sibuza iGoogle DNS (ngaphezu kweHTTPS): 

А ukungena:

curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "www.cloudflare.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.210.9"
    },
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.209.9"
    }
  ]
}

TXT irekhodi, isicelo senziwa ngokwe template _esni.FQDN:

curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16
    }
  ],
  "Answer": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16,
    "TTL": 1799,
    "data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
    }
  ],
  "Comment": "Response from 2400:cb00:2049:1::a29f:209."
}

Ngoko ke, ngokwembono ye-DNS, kufuneka sisebenzise i-DoH (ngokukhethekileyo nge-DNSSEC) kwaye songeze amangeniso amabini. 

Uxhaso lwabathengi

Ukuba sithetha malunga neziphequluli, ngoko okwangoku inkxaso iphunyezwa kuphela kwi-Firefox. kuyinto Nantsi imiyalelo yendlela yokuvula i-ESNI kunye nenkxaso ye-DoH kwi-Firefox. Nje ukuba isikhangeli siqwalaselwe, kufuneka sibone into enje:

Uyikhusela njani iwebhusayithi yakho yoluntu nge-ESNI

Imbekiselo ukujonga isikhangeli.

Ngokuqinisekileyo, i-TLS 1.3 kufuneka isetyenziswe ukuxhasa i-ESNI, ekubeni i-ESNI isandiso kwi-TLS 1.3.

Ngenjongo yokuvavanya i-backend ngenkxaso ye-ESNI, siphumeze umxhasi kwi go, Kodwa ngaphezulu koko kamva.

Inkxaso yecala lomncedisi

Okwangoku, i-ESNI ayixhaswanga ngabancedisi bewebhu njenge nginx/apache, njl., ekubeni basebenza ne-TLS nge-OpenSSL/BoringSSL, abangaxhasi ngokusemthethweni i-ESNI.

Ngoko ke, sagqiba ekubeni senze icandelo lethu langaphambili (i-ESNI reverse proxy), eya kuxhasa ukupheliswa kwe-TLS 1.3 kunye ne-ESNI kunye ne-HTTP (S) ye-proxy ye-traffic ukuya phezulu, engaxhasi i-ESNI. Oku kukuvumela ukuba usebenzise iteknoloji kwisiseko esele sikhona, ngaphandle kokutshintsha amacandelo aphambili - oko kukuthi, sebenzisa iiseva zewebhu zangoku ezingaxhasi i-ESNI. 

Ukucaca, nanku umzobo:

Uyikhusela njani iwebhusayithi yakho yoluntu nge-ESNI

Ndiyaqaphela ukuba i-proxy yenzelwe ukukwazi ukuphelisa uxhumano lwe-TLS ngaphandle kwe-ESNI, ukuxhasa abathengi ngaphandle kwe-ESNI. Kwakhona, i-protocol yonxibelelwano kunye ne-upstream ingaba yi-HTTP okanye i-HTTPS kunye nenguqulo ye-TLS engaphantsi kwe-1.3 (ukuba i-upstream ayixhasi i-1.3). Esi sikimu sinikeza ukuguquguquka okuphezulu.

Ukuphunyezwa kwenkxaso ye-ESNI kwi go besiboleka kuyo CloudFlare. Ndingathanda ukuqaphela kwangoko ukuba ukuphunyezwa ngokwako akuyonto encinci, kuba kubandakanya utshintsho kwithala leencwadi eliqhelekileyo. crypto/tls kwaye ke ngoko ifuna "ukupakisha" IGOROOT phambi kwendibano.

Ukuvelisa izitshixo ze-ESNI sizisebenzisile esnitool (kunye nengqondo ye-CloudFlare). La maqhosha asetyenziselwa i-SNI encryption/decryption.
ΠœΡ‹ протСстировали сборку с использованиСм go 1.13 Π½Π° Linux (Debian, Alpine) ΠΈ MacOS. 

Amagama ambalwa malunga neempawu zokusebenza

Ummeli we-ESNI obuyela umva ubonelela ngeemetrics kwifomathi ye-Prometheus, efana ne-rps, i-latency ekhuphukayo kunye neekhowudi zokuphendula, ukungaphumeleli / ukuphumelela ukuxhawula izandla kwe-TLS kunye nobude bexesha le-TLS. Ekuqaleni, oku kwabonakala kwanele ukuvavanya indlela i-proxy eziphatha ngayo i-traffic. 

Senze novavanyo lomthwalo phambi kokusetyenziswa. Iziphumo ezingezantsi:

wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.77s     1.21s    7.20s    65.43%
    Req/Sec    13.78      8.84   140.00     83.70%
  206357 requests in 6.00m, 6.08GB read
Requests/sec:    573.07
Transfer/sec:     17.28MB 

Senze uvavanyo lomthwalo olusemgangathweni ukuthelekisa iskimu sisebenzisa i-ESNI reverse proxy nangaphandle. "Sigalele" itrafikhi ekuhlaleni ukuze siphelise "ukuphazamiseka" kumacandelo aphakathi.

Ke, ngenkxaso ye-ESNI kunye ne-proxy ukuya phezulu ukusuka kwi-HTTP, siye sajikeleza ~ 550 rps ukusuka kumzekelo omnye, nge-avareji yokusetyenziswa kwe-CPU/RAM ye-ESNI umva we-proxy:

  • 80% CPU Usage (4 vCPU, 4 GB RAM хосты, Linux)
  • 130 MB IMem RSS

Uyikhusela njani iwebhusayithi yakho yoluntu nge-ESNI

Ukuthelekisa, i-RPS ye-nginx efanayo phezulu ngaphandle kwe-TLS (HTTP protocol) ukupheliswa yi ~ 1100:

wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.11s     2.30s   15.00s    90.94%
    Req/Sec    23.25     13.55   282.00     79.25%
  393093 requests in 6.00m, 11.35GB read
  Socket errors: connect 0, read 0, write 0, timeout 9555
  Non-2xx or 3xx responses: 8111
Requests/sec:   1091.62
Transfer/sec:     32.27MB 

НаличиС Ρ‚Π°ΠΉΠΌΠ°ΡƒΡ‚ΠΎΠ² Π³ΠΎΠ²ΠΎΡ€ΠΈΡ‚ ΠΎ Ρ‚ΠΎΠΌ, Ρ‡Ρ‚ΠΎ Π΅ΡΡ‚ΡŒ Π½Π΅Ρ…Π²Π°Ρ‚ΠΊΠ° рСсурсов (ΠΌΡ‹ использовали 4 vCPU, 4 GB RAM хосты, Linux), ΠΈ ΠΏΠΎ Ρ„Π°ΠΊΡ‚Ρƒ ΠΏΠΎΡ‚Π΅Π½Ρ†ΠΈΠ°Π»ΡŒΠ½Ρ‹ΠΉ RPS Π²Ρ‹ΡˆΠ΅ (ΠΌΡ‹ ΠΏΠΎΠ»ΡƒΡ‡Π°Π»ΠΈ Ρ†ΠΈΡ„Ρ€Ρ‹ Π΄ΠΎ  2700 RPS Π½Π° Π±ΠΎΠ»Π΅Π΅ ΠΌΠΎΡ‰Π½Ρ‹Ρ… рСсурсах).

Ukuqukumbela, ndiyaqaphela ukuba itekhnoloji ye-ESNI ibonakala ithembisa kakhulu. Kusekho imibuzo emininzi evulekileyo, umzekelo, imiba yokugcina isitshixo se-ESNI sikawonkewonke kwi-DNS kunye nezitshixo ezijikelezayo ze-ESNI - le miba ixutyushwa ngokusebenzayo, kwaye inguqulelo yamva nje yoyilo lwe-ESNI (ngexesha lokubhala) 7.

umthombo: www.habr.com

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS πŸ”₯ Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster