Molo uHabr, igama lam ngu-Ilya, ndisebenza kwiqela leqonga e-Exness. Siphuhlisa kwaye siphumeze amacandelo asisiseko asetyenziswa ngamaqela ethu ophuhliso lwemveliso.
Kweli nqaku, ndingathanda ukwabelana ngamava am okuphumeza iteknoloji ye-SNI (ESNI) efihliweyo kwiziseko zewebhusayithi zoluntu.

Ukusetyenziswa kobu buchwepheshe kuya kwandisa inqanaba lokhuseleko xa usebenza newebhusayithi yoluntu kwaye uthobela imigangatho yokhuseleko lwangaphakathi olwamkelwe yiNkampani.
Okokuqala, ndingathanda ukubonisa ukuba itekhnoloji ayilungelelaniswanga kwaye isekuyilo, kodwa i-CloudFlare kunye neMozilla sele iyixhasa (kwi-. ). Oku kwasikhuthaza kuvavanyo olunjalo.
Ingcamango ethile
ESNI lulwandiso kwi TLS 1.3 umthetho olandelwayo ovumela uguqulelo oluntsonkothileyo lwe-SNI kwi-TLS yokuxhawula ngesandla "Molo womxhasi" umyalezo. Nantsi into ekhangeleka ngathi i-Client Hello ngenkxaso ye-ESNI (endaweni ye-SNI eqhelekileyo sibona i-ESNI):

Ukusebenzisa i-ESNI, udinga amacandelo amathathu:
- I-DNS;
- Inkxaso yomthengi;
- Inkxaso yecala lomncedisi.
DNS
Kuya kufuneka wongeze iirekhodi ezimbini zeDNS- Akwaye TXT (Irekhodi ye-TXT iqulethe isitshixo sikawonke-wonke apho umxhasi angakwazi ukufihla i-SNI) - bona ngezantsi. Ukongeza, kufuneka kubekho inkxaso DoH (i-DNS phezu kwe-HTTPS) kuba abaxhasi abakhoyo (bona ngezantsi) abavumeli inkxaso ye-ESNI ngaphandle kwe-DoH. Oku kunengqiqo, kuba i-ESNI ithetha ukubethelwa kwegama lomthombo esiwufumanayo, oko kukuthi, akukho ngqiqo ukufikelela kwi-DNS phezu kwe-UDP. Ngaphezu koko, ukusetyenziswa ikuvumela ukuba ukhusele kuhlaselo lwetyhefu ye-cache kule meko.
Iyafumaneka ngoku , phakathi kwabo:
CloudFlare (Jonga i-Browser yam β I-Encrypted SNI β Funda Ngakumbi) ukuba abancedisi babo sele bexhasa i-ESNI, oko kukuthi, kwiiseva ze-CloudFlare kwi-DNS sineerekhodi ezimbini ubuncinane - A kunye ne-TXT. Kulo mzekelo ungezantsi sibuza iGoogle DNS (ngaphezu kweHTTPS):
Π ukungena:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
TXT irekhodi, isicelo senziwa ngokwe template _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Ngoko ke, ngokwembono ye-DNS, kufuneka sisebenzise i-DoH (ngokukhethekileyo nge-DNSSEC) kwaye songeze amangeniso amabini.
Uxhaso lwabathengi
Ukuba sithetha malunga neziphequluli, ngoko okwangoku . Nantsi imiyalelo yendlela yokuvula i-ESNI kunye nenkxaso ye-DoH kwi-Firefox. Nje ukuba isikhangeli siqwalaselwe, kufuneka sibone into enje:

ukujonga isikhangeli.
Ngokuqinisekileyo, i-TLS 1.3 kufuneka isetyenziswe ukuxhasa i-ESNI, ekubeni i-ESNI isandiso kwi-TLS 1.3.
Ngenjongo yokuvavanya i-backend ngenkxaso ye-ESNI, siphumeze umxhasi kwi go, Kodwa ngaphezulu koko kamva.
Inkxaso yecala lomncedisi
Okwangoku, i-ESNI ayixhaswanga ngabancedisi bewebhu njenge nginx/apache, njl., ekubeni basebenza ne-TLS nge-OpenSSL/BoringSSL, abangaxhasi ngokusemthethweni i-ESNI.
Ngoko ke, sagqiba ekubeni senze icandelo lethu langaphambili (i-ESNI reverse proxy), eya kuxhasa ukupheliswa kwe-TLS 1.3 kunye ne-ESNI kunye ne-HTTP (S) ye-proxy ye-traffic ukuya phezulu, engaxhasi i-ESNI. Oku kukuvumela ukuba usebenzise iteknoloji kwisiseko esele sikhona, ngaphandle kokutshintsha amacandelo aphambili - oko kukuthi, sebenzisa iiseva zewebhu zangoku ezingaxhasi i-ESNI.
Ukucaca, nanku umzobo:

Ndiyaqaphela ukuba i-proxy yenzelwe ukukwazi ukuphelisa uxhumano lwe-TLS ngaphandle kwe-ESNI, ukuxhasa abathengi ngaphandle kwe-ESNI. Kwakhona, i-protocol yonxibelelwano kunye ne-upstream ingaba yi-HTTP okanye i-HTTPS kunye nenguqulo ye-TLS engaphantsi kwe-1.3 (ukuba i-upstream ayixhasi i-1.3). Esi sikimu sinikeza ukuguquguquka okuphezulu.
Ukuphunyezwa kwenkxaso ye-ESNI kwi go besiboleka kuyo . Ndingathanda ukuqaphela kwangoko ukuba ukuphunyezwa ngokwako akuyonto encinci, kuba kubandakanya utshintsho kwithala leencwadi eliqhelekileyo. crypto/tls kwaye ke ngoko ifuna "ukupakisha" IGOROOT phambi kwendibano.
Ukuvelisa izitshixo ze-ESNI sizisebenzisile (kunye nengqondo ye-CloudFlare). La maqhosha asetyenziselwa i-SNI encryption/decryption.
ΠΡ ΠΏΡΠΎΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π»ΠΈ ΡΠ±ΠΎΡΠΊΡ Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ go 1.13 Π½Π° Linux (Debian, Alpine) ΠΈ MacOS.
Amagama ambalwa malunga neempawu zokusebenza
Ummeli we-ESNI obuyela umva ubonelela ngeemetrics kwifomathi ye-Prometheus, efana ne-rps, i-latency ekhuphukayo kunye neekhowudi zokuphendula, ukungaphumeleli / ukuphumelela ukuxhawula izandla kwe-TLS kunye nobude bexesha le-TLS. Ekuqaleni, oku kwabonakala kwanele ukuvavanya indlela i-proxy eziphatha ngayo i-traffic.
Senze novavanyo lomthwalo phambi kokusetyenziswa. Iziphumo ezingezantsi:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
Senze uvavanyo lomthwalo olusemgangathweni ukuthelekisa iskimu sisebenzisa i-ESNI reverse proxy nangaphandle. "Sigalele" itrafikhi ekuhlaleni ukuze siphelise "ukuphazamiseka" kumacandelo aphakathi.
Ke, ngenkxaso ye-ESNI kunye ne-proxy ukuya phezulu ukusuka kwi-HTTP, siye sajikeleza ~ 550 rps ukusuka kumzekelo omnye, nge-avareji yokusetyenziswa kwe-CPU/RAM ye-ESNI umva we-proxy:
- 80% CPU Usage (4 vCPU, 4 GB RAM Ρ ΠΎΡΡΡ, Linux)
- 130 MB IMem RSS

Ukuthelekisa, i-RPS ye-nginx efanayo phezulu ngaphandle kwe-TLS (HTTP protocol) ukupheliswa yi ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' β-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
ΠΠ°Π»ΠΈΡΠΈΠ΅ ΡΠ°ΠΉΠΌΠ°ΡΡΠΎΠ² Π³ΠΎΠ²ΠΎΡΠΈΡ ΠΎ ΡΠΎΠΌ, ΡΡΠΎ Π΅ΡΡΡ Π½Π΅Ρ Π²Π°ΡΠΊΠ° ΡΠ΅ΡΡΡΡΠΎΠ² (ΠΌΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π»ΠΈ 4 vCPU, 4 GB RAM Ρ ΠΎΡΡΡ, Linux), ΠΈ ΠΏΠΎ ΡΠ°ΠΊΡΡ ΠΏΠΎΡΠ΅Π½ΡΠΈΠ°Π»ΡΠ½ΡΠΉ RPS Π²ΡΡΠ΅ (ΠΌΡ ΠΏΠΎΠ»ΡΡΠ°Π»ΠΈ ΡΠΈΡΡΡ Π΄ΠΎ 2700 RPS Π½Π° Π±ΠΎΠ»Π΅Π΅ ΠΌΠΎΡΠ½ΡΡ ΡΠ΅ΡΡΡΡΠ°Ρ ).
Ukuqukumbela, ndiyaqaphela ukuba itekhnoloji ye-ESNI ibonakala ithembisa kakhulu. Kusekho imibuzo emininzi evulekileyo, umzekelo, imiba yokugcina isitshixo se-ESNI sikawonkewonke kwi-DNS kunye nezitshixo ezijikelezayo ze-ESNI - le miba ixutyushwa ngokusebenzayo, kwaye inguqulelo yamva nje yoyilo lwe-ESNI (ngexesha lokubhala) .
umthombo: www.habr.com
