Kaabo Habr, orukọ mi ni Ilya, Mo ṣiṣẹ ni ẹgbẹ pẹpẹ ni Exness. A ṣe agbekalẹ ati ṣe imuse awọn paati amayederun ipilẹ ti awọn ẹgbẹ idagbasoke ọja wa lo.
Ninu nkan yii, Emi yoo fẹ lati pin iriri mi ti imuse imọ-ẹrọ SNI (ESNI) ti paroko ni awọn amayederun ti awọn oju opo wẹẹbu gbangba.
Lilo imọ-ẹrọ yii yoo mu ipele aabo pọ si nigbati o ba n ṣiṣẹ pẹlu oju opo wẹẹbu ti gbogbo eniyan ati ni ibamu pẹlu awọn iṣedede aabo inu ti Ile-iṣẹ gba.
Ni akọkọ, Emi yoo fẹ lati tọka si pe imọ-ẹrọ ko ni iwọntunwọnsi ati pe o tun wa ninu apẹrẹ, ṣugbọn CloudFlare ati Mozilla ti ṣe atilẹyin tẹlẹ (ninu
A bit ti yii
ESNI jẹ ẹya itẹsiwaju si TLS 1.3 Ilana ti o fun laaye SNI ìsekóòdù ni TLS afọwọyi ifiranṣẹ "Client Hello". Eyi ni kini Hello Client ṣe dabi pẹlu atilẹyin ESNI (dipo SNI ti o ṣe deede ti a rii ESNI):
Lati lo ESNI, o nilo awọn paati mẹta:
- DNS;
- Atilẹyin alabara;
- Atilẹyin ẹgbẹ olupin.
DNS
O nilo lati ṣafikun awọn igbasilẹ DNS meji - Aati Txt (Igbasilẹ TXT ni bọtini ti gbogbo eniyan pẹlu eyiti alabara le ṣe encrypt SNI) - wo isalẹ. Ni afikun, atilẹyin gbọdọ wa Ṣe (DNS lori HTTPS) nitori awọn onibara ti o wa (wo isalẹ) ko ṣe atilẹyin ESNI laisi DoH. Eyi jẹ ọgbọn, nitori ESNI tumọ si fifi ẹnọ kọ nkan ti orukọ orisun ti a n wọle, iyẹn ni, ko ni oye lati wọle si DNS lori UDP. Pẹlupẹlu, lilo
Lọwọlọwọ wa
CloudFlare
А wiwọle:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
Txt igbasilẹ, ibeere ti ipilẹṣẹ ni ibamu si awoṣe kan _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}
Nitorinaa, lati irisi DNS, o yẹ ki a lo DoH (daradara pẹlu DNSSEC) ati ṣafikun awọn titẹ sii meji.
atilẹyin alabara
Ti a ba n sọrọ nipa awọn aṣawakiri, lẹhinna ni akoko yii
Nitoribẹẹ, TLS 1.3 gbọdọ ṣee lo lati ṣe atilẹyin ESNI, nitori ESNI jẹ itẹsiwaju si TLS 1.3.
Fun idi ti idanwo ẹhin pẹlu atilẹyin ESNI, a ṣe imuse alabara lori go, Ṣugbọn diẹ sii lori iyẹn nigbamii.
Atilẹyin ẹgbẹ olupin
Lọwọlọwọ, ESNI ko ni atilẹyin nipasẹ awọn olupin wẹẹbu bii nginx/apache, ati bẹbẹ lọ, nitori wọn ṣiṣẹ pẹlu TLS nipasẹ OpenSSL/BoringSSL, eyiti ko ṣe atilẹyin ESNI ni ifowosi.
Nitorinaa, a pinnu lati ṣẹda paati iwaju-ipari tiwa (ESNI aṣoju yiyipada), eyiti yoo ṣe atilẹyin ifopinsi TLS 1.3 pẹlu ESNI ati aṣoju HTTP (S) ijabọ si oke, eyiti ko ṣe atilẹyin ESNI. Eyi ngbanilaaye imọ-ẹrọ lati lo ninu awọn amayederun ti o wa tẹlẹ, laisi iyipada awọn paati akọkọ - iyẹn ni, lilo awọn olupin wẹẹbu lọwọlọwọ ti ko ṣe atilẹyin ESNI.
Fun mimọ, eyi ni aworan atọka kan:
Mo ṣe akiyesi pe a ṣe apẹrẹ aṣoju pẹlu agbara lati fopin si asopọ TLS laisi ESNI, lati ṣe atilẹyin awọn alabara laisi ESNI. Pẹlupẹlu, Ilana ibaraẹnisọrọ pẹlu oke le jẹ boya HTTP tabi HTTPS pẹlu ẹya TLS ti o kere ju 1.3 (ti oke ko ba ṣe atilẹyin 1.3). Ilana yii n funni ni irọrun ti o pọju.
Imuse ti ESNI support lori go a yawo lati
Lati ṣe ina awọn bọtini ESNI ti a lo
A ṣe idanwo ikole nipa lilo go 1.13 lori Lainos (Debian, Alpine) ati MacOS.
Awọn ọrọ diẹ nipa awọn ẹya iṣẹ
Aṣoju yiyipada ESNI n pese awọn metiriki ni ọna kika Prometheus, gẹgẹbi awọn rps, lairi oke & awọn koodu idahun, ikuna/aṣeyọri awọn imuwọwọ TLS & iye akoko imufọwọwọ TLS. Ni wiwo akọkọ, eyi dabi pe o to lati ṣe iṣiro bi aṣoju ṣe n kapa ijabọ.
A tun ṣe idanwo fifuye ṣaaju lilo. Awọn abajade ni isalẹ:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB
A ṣe idanwo fifuye agbara mimọ lati ṣe afiwe ero naa nipa lilo aṣoju yiyipada ESNI ati laisi. A "tú" ijabọ tibile ni ibere lati se imukuro "kikọlu" ni agbedemeji irinše.
Nitorinaa, pẹlu atilẹyin ESNI ati aṣoju si oke lati HTTP, a gba ni ayika ~ 550 rps lati apẹẹrẹ kan, pẹlu apapọ agbara Sipiyu/Ramu ti aṣoju yiyipada ESNI:
- 80% Lilo Sipiyu (4 vCPU, 4 GB Ramu ogun, Lainos)
- 130 MB Mem RSS
Fun lafiwe, RPS fun oke nginx kanna laisi ifopinsi TLS (ilana HTTP) jẹ ~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB
Iwaju awọn akoko akoko tọkasi pe aini awọn orisun wa (a lo 4 vCPUs, 4 GB Ramu ogun, Linux), ati ni otitọ RPS ti o pọju ga julọ (a gba awọn isiro ti o to 2700 RPS lori awọn orisun agbara diẹ sii).
Ni ipari, Mo ṣe akiyesi ti ESNI ọna ẹrọ wulẹ oyimbo ni ileri. Ọpọlọpọ awọn ibeere ṣiṣi tun wa, fun apẹẹrẹ, awọn ọran ti titoju bọtini ESNI ti gbogbo eniyan ni DNS ati awọn bọtini ESNI yiyi - awọn ọran wọnyi ni a ti jiroro ni itara, ati pe ẹya tuntun ti iwe ESNI (ni akoko kikọ) ti wa tẹlẹ.
orisun: www.habr.com