Umthwalo oPhezulu weWebhu-silawula njani itrafikhi kumashumi amawaka emimandla

I-traffic esemthethweni kwinethiwekhi ye-DDoS-Guard isanda kudlula ikhulu le-gigabits ngomzuzwana. Okwangoku, i-50% yazo zonke iitrafikhi zethu ziveliswa ziinkonzo zewebhu zabathengi. Ezi ngamashumi amawaka amaninzi emimandla, eyahlukileyo kakhulu kwaye kwiimeko ezininzi ifuna indlela yomntu ngamnye.

Ngezantsi kokusikwa yindlela esilawula ngayo iindawo zangaphambili kwaye sikhuphe izatifikethi ze-SSL kumakhulu amawaka eendawo.

Ukumisela umphambili wesiza esinye, nokuba sikhulu kakhulu, kulula. Sithatha i-nginx okanye i-haproxy okanye i-lighttpd, siyilungiselele ngokwezikhokelo kwaye silibale ngayo. Ukuba sifuna ukutshintsha into, senza ukulayisha kwakhona kwaye silibale kwakhona.

Yonke into iyatshintsha xa uqhuba umthamo omkhulu wetrafikhi kwimpukane, uvavanya ukufaneleka kwezicelo, ucinezele kunye nomxholo we-cache yomsebenzisi, kwaye kwangaxeshanye utshintshe iiparitha izihlandlo ezininzi ngesekhondi. Umsebenzisi ufuna ukubona umphumo kuzo zonke iindawo zangaphandle ngokukhawuleza emva kokuba etshintshe izicwangciso kwiakhawunti yakhe. Umsebenzisi unokukhuphela amawaka aliqela (kwaye ngamanye amaxesha amashumi amawaka) imimandla eneparameters zokusetyenzwa kwetrafikhi nge-API. Konke oku kufuneka kusebenze ngokukhawuleza eMelika, naseYurophu, nase-Asia - umsebenzi awuyona into encinci, ucinga ukuba eMoscow kuphela kukho iindawo ezininzi zokuhluza ezahlulwe ngokwasemzimbeni.

Kutheni kukho iindawo ezininzi ezithembekileyo ezithembekileyo kwihlabathi jikelele?

• Umgangatho wenkonzo yetrafikhi yabathengi - izicelo ezivela e-USA kufuneka ziqwalaselwe e-USA (kubandakanywa nokuhlaselwa, ukucazululwa kunye nezinye izinto ezingaqhelekanga), kwaye zingatsalwa eMoscow okanye eYurophu, ngokungalindelekanga kwandisa ukulibaziseka kokucubungula.

• I-traffic traffic kufuneka ibe yindawo - abaqhubi bezothutho banokuthotywa ngexesha lokuhlaselwa, umthamo odla ngokudlula i-1Tbps. Ukuthuthwa kwetrafikhi yokuhlasela ngaphezu kwe-atlantiki okanye i-transasian links ayiyongcamango ilungileyo. Saba neemeko zokwenyani xa abasebenzi beTier-1 bathi: "Umthamo wohlaselo olufumanayo uyingozi kuthi." Yiyo loo nto samkela imijelo engenayo ngokusondeleyo kwimithombo yayo kangangoko sinako.

• Iimfuno ezingqongqo zokuqhubekeka kwenkonzo - amaziko okucoca akufuneki axhomekeke kwelinye okanye kwiziganeko zasekuhlaleni kwihlabathi lethu elitshintsha ngokukhawuleza. Ngaba ucime amandla kuyo yonke imigangatho eyi-11 ye-MMTS-9 kangangeveki? - akhongxaki. Akukho namnye umxhasi ongenalo uxhulumaniso ngokwasemzimbeni kule ndawo uya kubandezeleka, kwaye iinkonzo zewebhu aziyi kubandezeleka phantsi kwazo naziphi na iimeko.

Ukulawula njani konke oku?

Ulungelelwaniso lwenkonzo kufuneka lusasazwe kuzo zonke iindawo zangaphambili ngokukhawuleza kangangoko kunokwenzeka (ngokufanelekileyo ngoko nangoko). Awungekhe uthathe kwaye wakhe kwakhona uqwalaselo lombhalo kwaye uqalise kwakhona iidaemoni kulo lonke utshintsho-i-nginx efanayo igcina iinkqubo zivaliwe (umsebenzi evala) imizuzu embalwa eyongezelelweyo (okanye iiyure ukuba kukho iiseshini ezinde zewebhu).

Xa uphinda ulayishe uqwalaselo lwe-nginx, lo mfanekiso ulandelayo uqhelekile:

Ukusetyenziswa kwememori:

Abasebenzi abadala badla imemori, kuquka imemori engaxhomekekanga ngokulandelelana kwinani lokudibanisa - oku kuqhelekileyo. Xa uqhagamshelwano lomxhasi luvaliwe, le nkumbulo iya kukhululwa.

Kutheni le nto yayingengomcimbi xa i-nginx yayiqala nje? Kwakungekho HTTP/2, akukho WebSocket, akukho nxu lumano luhlala luphila ixesha elide. I-70% ye-traffic yethu yewebhu yi-HTTP / 2, oku kuthetha uxhulumaniso olude kakhulu.

Isisombululo silula - musa ukusebenzisa i-nginx, musa ukulawula imida esekwe kwiifayile ezibhaliweyo, kwaye ngokuqinisekileyo musa ukuthumela uqwalaselo lokubhaliweyo oluziphuweyo phezu kwamajelo angabonakaliyo. Amajelo, ewe, aqinisekisiwe kwaye agciniwe, kodwa loo nto ayiwenzi abe ngaphantsi kwelizwekazi.

Sine-server-balancer yethu yangaphambili, abangaphakathi endiya kuthetha ngabo kumanqaku alandelayo. Eyona nto iphambili enokuyenza kukusebenzisa amawaka otshintsho loqwalaselo ngesekondi nganye kwibhabho, ngaphandle kokuphinda uqalise, ukulayisha kwakhona, ukonyuka ngequbuliso kokusetyenziswa kwememori, nayo yonke loo nto. Oku kufana kakhulu neKhowudi eshushu yokuLayisha kwakhona, umzekelo e-Erlang. Idatha igcinwe kwi-geo-distributed key-value database kwaye ifundwa ngokukhawuleza ngabaqalisi bangaphambili. Ezo. ulayisha isatifikethi se-SSL ngokusebenzisa ujongano lwewebhu okanye i-API eMoscow, kwaye ngemizuzwana embalwa ilungele ukuya kwiziko lethu lokucoca eLos Angeles. Ukuba imfazwe yehlabathi iyenzeka ngequbuliso kwaye i-Intanethi iyanyamalala emhlabeni wonke, iindawo zethu ziya kuqhubeka zisebenza ngokuzimeleyo kwaye zilungise i-split-brain kamsinya nje enye yeendlela ezizinikeleyo eLos Angeles-Amsterdam-Moscow, eMoscow-Amsterdam-Hong Kong- I-Los-Los iya kufumaneka. Angeles okanye ubuncinane enye ye-GRE eyolekayo yokugcina.

Kwale ndlela inye isenza sikwazi ukukhupha ngoko nangoko kwaye sihlaziye iziqinisekiso zeLet Encrypted. Ngokulula kakhulu isebenza ngolu hlobo:

1. Ngokukhawuleza xa sibona ubuncinane isicelo se-HTTPS sesizinda somthengi wethu ngaphandle kwesatifikethi (okanye ngesatifikethi esiphelelwe yisikhathi), indawo yangaphandle eyamkele isicelo ibika oku kwigunya lezatifikethi zangaphakathi.

   

2. Ukuba umsebenzisi akakhange athintele ukukhutshwa kweLet Encrypt, igunya lesatifikethi livelisa i-CSR, ifumana ithokheni yokuqinisekisa evela kwi-LE kwaye iyithumele kuyo yonke imida kwitshaneli efihliweyo. Ngoku nayiphi na i-node inokuqinisekisa isicelo sokuqinisekisa esivela kwi-LE.

   

3. Kwimizuzu embalwa, siya kufumana isatifikethi esichanekileyo kunye nesitshixo sabucala kwaye siyithumele kwimida ngendlela efanayo. Kwakhona, ngaphandle kokuqalisa kwakhona iidemon

   

4. Kwiintsuku ezisi-7 phambi komhla wokuphelelwa, inkqubo yokufumana kwakhona isatifikethi iyaqaliswa

Okwangoku sijikeleza izatifikethi ezingama-350k ngexesha lokwenyani, ekuhleni ngokupheleleyo kubasebenzisi.

Kumanqaku alandelayo ochungechunge, ndiya kuthetha ngezinye iimpawu zexesha langempela lokucutshungulwa kwetrafikhi yewebhu enkulu - umzekelo, malunga nokuhlalutya i-RTT usebenzisa idatha engaphelelanga ukuphucula umgangatho wenkonzo kubaxhasi bezohambo kunye ngokubanzi malunga nokukhusela i-traffic traffic ukusuka. ukuhlaselwa kwe-terabit, malunga nokuhanjiswa kunye nokuhlanganiswa kolwazi lwezithuthi, malunga ne-WAF, phantse i-CDN engenamkhawulo kunye neendlela ezininzi zokuphucula ukuhanjiswa komxholo.

Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. Ngena, ndiyacela.

Yintoni ongathanda ukuyazi kuqala?

• 14,3%Ii-algorithms zokudibanisa kunye nokuhlalutya umgangatho wetrafikhi yewebhu <3

• 33,3%Ngaphakathi kwee-balancers ze-DDoS-Guard7

• 9,5%Ukhuseleko lokuhamba L3/L4 traffic2

• 0,0%Ukukhusela iiwebhusayithi kwitrafikhi yohambo0

• 14,3%Web Application Firewall3

• 28,6%Ukukhuselwa ngokuchasene nokwahlulahlula kunye nokucofa6

Bangama-21 abasebenzisi abavotileyo. Abasebenzisi abangama-6 abakhange.

umthombo: www.habr.com