Imininingwane yokucisha kwe-Cloudflare ngomhla ka-2 Julayi 2019

Cishe eminyakeni engu-9 edlule i-Cloudflare yayiyinkampani encane, futhi angizange ngiyisebenzele, ngangiyikhasimende nje. Inyanga ngemva kokwethula i-Cloudflare, ngathola isaziso sokuthi iwebhusayithi yami jgc.orgI-DNS ibonakala ingasebenzi. I-Cloudflare yenze ushintsho ku Amabhafa wephrothokholi, futhi kwakukhona i-DNS ephukile.

Ngokushesha ngabhalela uMatthew Prince ngesihloko esithi "Iphi i-DNS yami?"funda yonke incwadi lapha), ngaphendula ngathi:

Kuvela ku: John Graham-Cumming
Idethi: Okthoba 7, 2010, 9:14
Isihloko: Re: Iphi i-DNS yami?
Ku: Matthew Prince

Umbiko opholile, ngiyabonga. Ngizofona nakanjani uma kunezinkinga. Cishe kufanelekile ukubhala okuthunyelwe mayelana nalokhu uma usuqoqe yonke imininingwane yezobuchwepheshe. Ngicabanga ukuthi abantu bazoyithokozela indaba evulekile nethembekile. Ikakhulukazi uma unamathisela amagrafu kuyo ukuze ubonise ukuthi ithrafikhi ikhule kanjani kusukela yethulwa.

Nginokuqapha okuhle kusayithi lami, futhi ngithola i-SMS mayelana nakho konke ukwehluleka. Ukuqapha kukhombisa ukuthi ukwehluleka kwenzeke kusukela ngo-13:03:07 kuya ku-14:04:12. Ukuhlolwa kwenziwa njalo ngemizuzu emihlanu.

Ngiqinisekile ukuthi uzokuqonda. Uqinisekile ukuthi awumdingi umuntu wakho eYurophu? 🙂

Futhi waphendula:

Kusuka ku: Matthew Prince
Idethi: Okthoba 7, 2010, 9:57
Isihloko: Re: Iphi i-DNS yami?
Ku: John Graham-Cumming

Ngiyabonga. Siphendule wonke umuntu obhale. Ngisendleleni eya ehhovisi manje futhi sizobhala okuthile kubhulogi noma siphine okuthunyelwe okusemthethweni ebhodini lethu lezaziso. Ngivuma ngokuphelele, ukwethembeka yikho konke.

Manje i-Cloudflare iyinkampani enkulu ngempela, ngiyayisebenzela, futhi manje kufanele ngibhale ngokukhululekile ngephutha lethu, imiphumela yalo kanye nezenzo zethu.

Imicimbi yangomhla zi-2 kuJulayi

Ngomhla zi-2 kuJulayi sikhiphe umthetho omusha kokuthi Imithetho Ephethwe yama-WAF ngenxa yalokho Izinsiza ze-CPU beziphela kuwo wonke amaphrosesa acubungula ithrafikhi ye-HTTP/HTTPS kunethiwekhi ye-Cloudflare emhlabeni jikelele. Sihlala sithuthukisa imithetho ephethwe yama-WAF ekuphenduleni ubungozi obusha nezinsongo. Ngokwesibonelo, ngo-May sashesha engeza umthethoukuvikela ekubeni sengozini enkulu ku-SharePoint. Iphuzu eliphelele le-WAF yethu yikhono lokusebenzisa imithetho ngokushesha nasemhlabeni jikelele.

Ngeshwa, isibuyekezo sangoLwesine olwedlule besiqukethe izinkulumo ezijwayelekile ezimoshe izinsiza ze-CPU eziningi kakhulu ze-HTTP/HTTPS ekubuyiseleni emuva. Ummeleli wethu oyinhloko, imisebenzi ye-CDN, kanye ne-WAF ihlukumezekile ngenxa yalokho. Igrafu ibonisa ukuthi izinsiza zokuphrosesa zokusebenzela ithrafikhi ye-HTTP/HTTPS zifinyelela cishe ku-100% kumaseva akunethiwekhi yethu.

Ukusetshenziswa kwe-CPU endaweni eyodwa yokuba khona phakathi nesigameko

Ngenxa yalokho, amakhasimende ethu (kanye namakhasimende ethu) agcine enekhasi lamaphutha angu-502 ezizindeni ze-Cloudflare. Amaphutha angu-502 akhiqizwe amaseva ewebhu e-Cloudflare angaphambili ayesenama-cores amahhala kodwa ayengakwazi ukuxhumana nezinqubo eziphatha ithrafikhi ye-HTTP/HTTPS.

Siyazi ukuthi kungakanani ukuphazamiseka lokhu okudale amakhasimende ethu. Sinamahloni kakhulu. Futhi lokhu kwehluleka kusivimbele ekubhekaneni ngempumelelo nesigameko.

Uma ungomunye walawa makhasimende, cishe wawunovalo, uthukuthele futhi ucasukile. Ngaphezu kwalokho, asikaze sibe nayo ukuphazamiseka komhlaba. Ukusetshenziswa okuphezulu kwe-CPU kwakungenxa yomthetho owodwa we-WAF onenkulumo evamile engasebenzi kahle eholele ekuhlehliseni emuva ngokweqile. Nansi inkulumo enecala: (?:(?:"|'|]|}||d|(?:nan|infinity|true|false|null|undefined|symbol|math)|`|-|+)+[)]*;?((?:s|-|~|!|{}||||+)*.*(?:.*=.*)))

Nakuba lokhu kuthakazelisa ngokwako (futhi ngizokhuluma ngakho ngokuningiliziwe ngezansi), isevisi ye-Cloudflare yayiphansi imizuzu engu-27 hhayi nje ngenxa yenkulumo embi evamile. Kusithathe isikhathi ukuchaza ukulandelana kwezehlakalo eziholele ekwehlulekeni, ngakho saphuza ukuphendula. Ekupheleni kokuthunyelwe, ngizochaza ukuhlehla ngenkulumo evamile futhi ngikutshele ukuthi wenzeni ngakho.

Kwenzenjani

Ake siqale ngokulandelana. Zonke izikhathi lapha ziku-UTC.

Ngo-13:42 p.m., unjiniyela wethimba lezicishamlilo wenza ushintsho oluncane emithethweni yokuthola I-XSS usebenzisa inqubo ezenzakalelayo. Ngokufanelekile, ithikithi lesicelo sokushintsha lakhiwe. Siphatha amathikithi anjalo nge-Jira (isithombe-skrini ngezansi).

Ngemuva kwemizuzu emi-3, kwavela ikhasi lokuqala le-PagerDuty, libika inkinga nge-WAF. Lokhu bekuwukuhlola okokwenziwa okuhlola ukusebenza kwama-WAF (sinamakhulu wawo) ngaphandle kwe-Cloudflare ukuze kuqashwe ukusebenza okuvamile. Lokhu kwalandelwa ngokushesha amakhasi ezixwayiso mayelana nezinye izivivinyo zesevisi yokuphela-to-ekupheleni ye-Cloudflare ehlulekayo, izinkinga zethrafikhi zomhlaba wonke, amaphutha asabalele angu-502, kanye nenqwaba yemibiko evela ku-Points of Presence yethu (PoP) emadolobheni emhlabeni jikelele ebonise ukushoda. kwezinsiza ze-CPU.

Ngithole eziningi zalezi zixwayiso, ngiphuma emhlanganweni, futhi ngisendleleni eya etafuleni ngesikhathi inhloko yomnyango wethu wokuthuthukiswa kwezixazululo ithi silahlekelwe u-80% wezimoto zethu. Ngagijimela konjiniyela bethu be-SRE, ababevele belungisa inkinga. Ekuqaleni besicabanga ukuthi wukuhlasela okungaziwa.

Onjiniyela be-Cloudflare SRE bahlakazeke emhlabeni wonke futhi baqaphe isimo ubusuku nemini. Ngokuvamile, lezi zixwayiso zikwazisa ngezinkinga ezithile zendawo zobubanzi obulinganiselwe, zilandelelwa kumadeshibhodi angaphakathi, futhi zixazululwa izikhathi eziningi ngosuku. Kodwa lawa makhasi nezaziso kubonise okuthile okungathí sina ngempela, futhi onjiniyela be-SRE bamemezela ngokushesha izinga lobunzima P0 futhi bathinta abaphathi nonjiniyela bohlelo.

Onjiniyela bethu baseLondon babelalele inkulumo ehholo elikhulu ngaleso sikhathi. Inkulumo kwadingeka iphazamiseke, wonke umuntu wabuthana ekamelweni elikhulu lezingqungquthela, kwabizwa ochwepheshe abengeziwe. Lokhu bekungeyona inkinga ejwayelekile ukuthi ama-SRE angabhekana nawo ngokwawo. Bekuphuthuma ukubandakanya ochwepheshe abalungile.

Ngo-14:00 sinqume ukuthi inkinga iku-WAF futhi akukho kuhlasela. Ithimba lokusebenza lidonse idatha ye-CPU futhi kwacaca ukuthi i-WAF iyona enecala. Esinye isisebenzi siqinisekise lo mbono sisebenzisa i-strace. Omunye wabona ezingodweni ukuthi kunenkinga nge-WAF. Ngo-14:02 p.m., ithimba lonke leza kimi lapho kuhlongozwa ukuthi kusetshenziswe ukubulala emhlabeni wonke, indlela eyakhelwe ku-Cloudflare evala ingxenye eyodwa emhlabeni wonke.

Ukuthi sibulale kanjani umhlaba wonke nge-WAF yindaba ehlukile. Akulula kanjalo. Sisebenzisa imikhiqizo yethu, futhi kusukela enkonzweni yethu Ukufinyelela akusebenzanga, asikwazanga ukugunyaza nokungena kuphaneli yokulawula yangaphakathi (lapho yonke into isilungisiwe, sifunde ukuthi amanye amalungu eqembu alahlekelwe ukufinyelela ngenxa yesici sokuvikela esikhubaza imininingwane uma iphaneli yokulawula yangaphakathi ingasetshenziselwa isikhathi eside).

Futhi asikwazanga ukufinyelela kumasevisi ethu angaphakathi, njenge-Jira noma isistimu yokwakha. Besidinga indlela yokulungisa, ebesiyisebenzisa njalo (lokhu kuzodinga futhi kusetshenzwe). Ekugcineni, unjiniyela oyedwa ukwazile ukukhubaza i-WAF ngo-14:07, futhi ngo-14:09, amazinga ethrafikhi nama-CPU ayebuyele kokujwayelekile yonke indawo. Ezinye izindlela zokuvikela ze-Cloudflare zisebenze njengokujwayelekile.

Bese siqala ukubuyisela i-WAF. Isimo sasingajwayelekile, ngakho-ke senza izivivinyo ezingezinhle (sizibuza ukuthi ingabe uguquko luyinkinga ngempela) kanye nokuhlola okuhle (ukuqinisekisa ukuthi ukubuyiselwa emuva kuyasebenza) edolobheni elilodwa sisebenzisa ithrafikhi ehlukile, sidlulisela amakhasimende akhokhayo asuka lapho.

Ngo-14:52 sasiqiniseka ukuthi siyasiqonda isizathu futhi senza ukulungisa, futhi savumela i-WAF futhi.

Isebenza kanjani i-Cloudflare

I-Cloudflare ineqembu lonjiniyela abazinikezele ekuphatheni imithetho yama-WAF. Balwela ukuthuthukisa izilinganiso zokutholwa, behlise imibono engamanga, futhi baphendule ngokushesha ezinsongweni ezintsha njengoba zivela. Ezinsukwini ezingu-60 ezedlule, kube nezicelo zoshintsho ezingu-476 ezicutshungulwe kumithetho ephethwe ye-WAF (isilinganiso esisodwa njalo emahoreni angu-3).

Lolu shintsho oluthile lwaludinga ukuthunyelwa kumodi yokulingisa, lapho ithrafikhi yeklayenti yangempela idlula umthetho, kodwa akukho lutho oluvinjiwe. Sisebenzisa le modi ukuze sihlole ukusebenza kwemithetho futhi silinganise amanani angamanga amahle namanga amanga. Kodwa ngisho nakumodi yokulingisa, imithetho kufanele isetshenziswe ngempela, futhi kulokhu umthetho wawuqukethe inkulumo evamile eyayidla izinsiza zokucubungula eziningi kakhulu.

Njengoba ungabona esicelweni soshintsho esingenhla, sinohlelo lokuphakelwa, uhlelo lokuhlehlisa, kanye nesixhumanisi senqubo yokusebenza evamile yangaphakathi (SOP) yalolu hlobo lokusatshalaliswa. I-SOP yokushintsha umthetho ikuvumela ukuthi ushicilelwe emhlabeni jikelele. Empeleni, e-Cloudflare, izinto zenziwa ngendlela ehluke ngokuphelele, futhi i-SOP ibeka ukuthi siqale sithumele isofthiwe ukuze ihlolwe futhi isetshenziswe ngaphakathi endaweni yangaphakathi yokuba khona (i-PoP) (esetshenziswa abasebenzi bethu), bese kuba inani elincane lamakhasimende indawo engayodwa, bese kuba inani elikhulu lamakhasimende, bese kuphela emhlabeni wonke.

Lokhu kubukeka kanjani. Sisebenzisa i-git ngaphakathi nge-BitBucket. Onjiniyela abasebenza ngezinguquko bahambisa ikhodi, ehlanganiswe ku-TeamCity, futhi lapho ukwakhiwa kudlula, ababuyekezi bayanikezwa. Lapho isicelo sokudonsa sivunyiwe, ikhodi iyahlanganiswa futhi uchungechunge lwezivivinyo luyaqaliswa (futhi).

Uma isakhiwo nokuhlola kuqeda ngempumelelo, isicelo soshintsho siyadalwa e-Jira futhi umphathi ofanelekile noma umholi kufanele agunyaze ushintsho. Ngemva kokugunyazwa, ukuthunyelwa kwenzeka kulokho okubizwa ngokuthi “i-PoP menagerie”: DOG, PIG kanye I-Canary (inja, ingulube kanye ne-canary).

I-DOG PoP iyi-Cloudflare PoP (njengawo wonke amanye amadolobha ethu) esetshenziswa abasebenzi bakwa-Cloudflare kuphela. I-PoP yokusetshenziswa kwangaphakathi ikuvumela ukuthi ubambe izinkinga ngaphambi kokuthi ithrafikhi yamakhasimende iqale ukugelezela esixazululweni. Into ewusizo.

Uma ukuhlolwa kwe-DOG kuphumelela, ikhodi ithuthela esigabeni se-PIG (ingulube ye-Guinea). Lena i-Cloudflare PoP, lapho inani elincane lethrafikhi yamahhala yamakhasimende ligeleza ngekhodi entsha.
Uma konke kuhamba kahle, ikhodi ingena eCanary. SinamaCanary PoP amathathu ezingxenyeni ezahlukene zomhlaba. Kuzo, ithrafikhi yamakhasimende akhokhelwayo namahhala idlula ikhodi entsha, futhi lokhu kuyisheke lokugcina lamaphutha.

Inqubo Yokukhishwa Kwesoftware e-Cloudflare

Uma ikhodi ilungile e-Canary, siyayikhulula. Ukudlula kuzo zonke izigaba - I-DOG, I-PIG, i-Canary, umhlaba wonke - kuthatha amahora ambalwa noma izinsuku, kuye ngokushintsha kwekhodi. Ngenxa yokuhlukahluka kwenethiwekhi namakhasimende e-Cloudflare, sihlola kahle ikhodi ngaphambi kokuyikhipha emhlabeni wonke kuwo wonke amakhasimende. Kodwa i-WAF ayilandeli le nqubo ngokuqondile ngoba izinsongo zidinga ukuphendulwa ngokushesha.

Izinsongo ze-WAF
Eminyakeni embalwa edlule, kube nokwanda okukhulu kwezinsongo ezisetshenziswayo ezivamile. Lokhu kungenxa yokutholakala okukhulu kwamathuluzi okuhlola isofthiwe. Isibonelo, sisanda kubhala mayelana ukufutha).

Source: https://cvedetails.com/

Kaningi, kwakhiwa ubufakazi bomqondo bese bushicilelwa ngokushesha ku-Github ukuze amaqembu agcina uhlelo lokusebenza akwazi ukuluhlola ngokushesha futhi aqinisekise ukuthi luvikeleke ngokwanele. Ngakho-ke, i-Cloudflare idinga ikhono lokuphendula ukuhlaselwa okusha ngokushesha ngangokunokwenzeka ukuze amakhasimende abe nethuba lokulungisa isofthiwe yawo.

Isibonelo esihle sokuphendula okusheshayo kwe-Cloudflare ukuthunyelwa kokuvikela ubungozi be-SharePoint ngoMeyi (funda lapha). Cishe ngokushesha ngemva kokwenziwa kwezimemezelo, saqaphela inani elikhulu lemizamo yokusebenzisa ubungozi ekufakweni kweSharePoint kwamakhasimende ethu. Abafana bethu bahlale beqapha izinsongo ezintsha kanye nemithetho yokubhala ukuze bavikele amakhasimende ethu.

Umthetho odale inkinga ngoLwesine bekufanele uvikele ekubhalweni kwe-cross-site (XSS). Ukuhlasela okunjalo kuye kwanda kakhulu eminyakeni yamuva.

Source: https://cvedetails.com/

Inqubo evamile yokushintsha umthetho ophethwe we-WAF ukwenza ukuhlolwa kwe-continuous integration (CI) ngaphambi kokuthunyelwa komhlaba wonke. NgoLwesine olwedlule sikwenzile lokhu sakhipha imithetho. Ngo-13:31 p.m., unjiniyela uthumele isicelo esigunyaziwe sokudonsa noshintsho.

Ngo-13:37 iTeamCity yaqoqa imithetho, yaqhuba izivivinyo futhi yanikeza imvume yokuqhubeka. I-WAF test suite ihlola ukusebenza okubalulekile kwe-WAF futhi iqukethe inani elikhulu lokuhlolwa kweyunithi yemisebenzi ngayinye. Ngemuva kokuhlolwa kweyunithi, sihlole imithetho ye-WAF sisebenzisa inombolo enkulu yezicelo ze-HTTP. Izicelo ze-HTTP zihlola ukuthi yiziphi izicelo okufanele zivinjwe yi-WAF (ukuvimbela ukuhlasela) futhi ezingavunyelwa (ukuze ungavimbi yonke into futhi ugweme amanga angamanga). Kodwa asizange sihlole ukusetshenziswa kwe-CPU ngokweqile, futhi ukuhlola izingodo zokwakhiwa kwe-WAF kwangaphambilini kubonisa ukuthi isikhathi sokwenziwa kokuhlolwa komthetho asizange sikhuphuke, futhi kwakunzima ukusola ukuthi ngeke kube nezinsiza ezanele.

Izivivinyo ziphumelele futhi iTeamCity yaqala ukuthumela ngokuzenzakalelayo ushintsho ngo-13:42 p.m.

Quicksilver

Imithetho ye-WAF igxile ekulungiseni usongo ngokushesha, ngakho-ke siyisebenzisa sisebenzisa isitolo senani elingukhiye osabalalisiwe sakwa-Quicksilver, esisabalalisa izinguquko emhlabeni wonke ngemizuzwana. Wonke amakhasimende ethu asebenzisa lobu buchwepheshe lapho eshintsha ukumisa kudeshibhodi noma nge-API, futhi kungenxa yawo ukuthi siphendula izinguquko ngesivinini sombani.

Asikakaxoxi okuningi nge-Quicksilver. Ngaphambili sasisebenzisa I-Kyoto Tycoon njengesitolo senani elingukhiye esatshalaliswa emhlabeni wonke, kodwa kube nezinkinga zokusebenza ngaso, futhi sabhala isitolo sethu, esiphindaphindwe emadolobheni angaphezu kuka-180. Manje sisebenzisa i-Quicksilver ukuze siphushe izinguquko zokumisa kumakhasimende, sibuyekeze imithetho ye-WAF, futhi sisabalalise ikhodi ye-JavaScript ebhalwe amaklayenti ku-Cloudflare Workers.

Kuthatha kuphela imizuzwana embalwa kusukela ngokuchofoza inkinobho kudeshibhodi noma ukushayela i-API ukwenza ushintsho lokumisa emhlabeni jikelele. Amakhasimende athande lesi sivinini sokusetha. Futhi Abasebenzi babanika cishe ukuthunyelwa kwesoftware yomhlaba wonke ngokushesha. Ngokwesilinganiso, i-Quicksilver isakaza izinguquko ezingaba ngu-350 ngomzuzwana.

Futhi i-Quicksilver ishesha kakhulu. Ngokwesilinganiso, sizuze iphesenti elingu-99 lamasekhondi angu-2,29 ukusabalalisa izinguquko kuwo wonke amakhompyutha emhlabeni jikelele. Ijubane ngokuvamile liyinto enhle. Ngemuva kwakho konke, uma unika amandla umsebenzi noma usula inqolobane, kwenzeka cishe ngaso leso sikhathi futhi yonke indawo. Ukuthumela ikhodi nge-Cloudflare Workers kwenzeka ngesivinini esifanayo. I-Cloudflare ithembisa amakhasimende ayo izibuyekezo ezisheshayo ngesikhathi esifanele.

Kodwa kulokhu, ijubane lidlale ihlaya elinonya kithi, futhi imithetho yashintsha yonke indawo ngemizuzwana nje. Kungenzeka ukuthi uqaphele ukuthi ikhodi ye-WAF isebenzisa i-Lua. I-Cloudflare isebenzisa i-Lua kakhulu ekukhiqizeni nasemininingwaneni Lua ku-WAF thina osekuxoxiwe ngakho. I-Lua WAF isebenzisa I-PCRE ngaphakathi futhi kusebenza ukuhlehla ukuze kufaniswe. Ayinazo izindlela zokuvikela izinkulumo ezingalawuleki. Ngezansi ngizokhuluma kabanzi ngalokhu nokuthi senzani ngakho.

Ngaphambi kokuba imithetho isetshenziswe, konke kwahamba kahle: isicelo sokudonsa sakhiwe futhi savunyelwa, ipayipi le-CI / CD liqoqwe futhi lahlola ikhodi, isicelo sokushintsha sithunyelwe ngokuvumelana ne-SOP elawula ukuthunyelwa nokubuyisela emuva, futhi ukuthunyelwa kwaqedwa.

Cloudflare WAF Deployment Process

Kukhona into engahambanga kahle
Njengoba ngishilo, sisebenzisa inqwaba yemithetho emisha ye-WAF isonto ngalinye, futhi sinezinhlelo eziningi esizisebenzayo zokuvikela emiphumeleni emibi yalokho kuthunyelwa. Futhi uma kukhona okungahambanga kahle, kuvamise ukuba yinhlanganisela yezimo ezimbalwa ngesikhathi esisodwa. Uma uthola isizathu esisodwa nje, lokhu, yiqiniso, kuyaqinisekisa, kodwa akulona iqiniso ngaso sonke isikhathi. Lezi yizizathu eziholele ekuhlulekeni kwesevisi yethu ye-HTTP/HTTPS.

1. Unjiniyela wabhala inkulumo evamile engaphumela ekweqiseni ukuhlehla.
2. Isici ebesingavimbela isisho esivamile ukuthi singamoshi i-CPU eningi sisuswe ngephutha ekulungisweni kabusha kwe-WAF emasontweni ambalwa edlule—ukulungiswa kabusha kwakudingeka ukuze kwenziwe i-WAF idle izinsiza ezincane.
3. Injini yokukhuluma evamile yayingenazo iziqinisekiso eziyinkimbinkimbi.
4. I-test suite ayikwazanga ukuthola ukusetshenziswa okweqile kwe-CPU.
5. I-SOP ivumela izinguquko zemithetho engeyona eyezimo eziphuthumayo ukuthi zisatshalaliswe emhlabeni wonke ngaphandle kwenqubo yezinyathelo eziningi.
6. Uhlelo lokuhlehlisa ludinga ukuqhuba ukwakhiwa okugcwele kwe-WAF kabili, okuthathe isikhathi eside.
7. Isexwayiso sokuqala mayelana nezinkinga zethrafikhi yomhlaba wonke siqalwe sekwephuze kakhulu.
8. Sithathe isikhathi ukubuyekeza ikhasi lesimo.
9. Sibe nezinkinga zokufinyelela kumasistimu ngenxa yenkinga, futhi inqubo yokudlula ayizange isungulwe kahle.
10. Onjiniyela be-SRE balahlekelwe ukufinyelela kwamanye amasistimu ngenxa yokuthi izifakazelo zabo ziphelelwe yisikhathi ngenxa yezizathu zokuphepha.
11. Amakhasimende ethu awakwazanga ukufinyelela ideshibhodi ye-Cloudflare noma i-API ngoba adlula endaweni ye-Cloudflare.

Okushintshile kusukela ngoLwesine olwedlule

Okokuqala, simise ngokuphelele wonke umsebenzi wokukhishwa kwe-WAF futhi senza lokhu okulandelayo:

1. Sethula kabusha ukuvikela ukusetshenziswa ngokweqile kwe-CPU esikususile. (Kulungile)
2. Ukuhlola mathupha yonke imithetho engu-3868 emithethweni ephethwe ye-WAF ukuze ithole futhi ilungise ezinye izimo ezingaba khona zokuhlehla ngokweqile. (Ukuqinisekisa kuqediwe)
3. Sifaka iphrofayela yokusebenza kwayo yonke imithetho kusethi yokuhlola. (Kulindeleke: Julayi 19)
4. Ishintshela enjinini yokukhuluma evamile re2 noma Rust - zombili zinikeza iziqinisekiso zesikhathi sokusebenza. (Kulindeleke: Julayi 31)
5. Sibhala kabusha i-SOP ukuze sikhiphe imithetho ngezigaba, njengenye isofthiwe ku-Cloudflare, kodwa ngesikhathi esifanayo sinamandla okuthunyelwa komhlaba jikelele okuphuthumayo uma ukuhlasela sekuvele kuqalile.
6. Sakha ikhono lokususa ngokushesha ideshibhodi ye-Cloudflare ne-API endaweni ye-Cloudflare.
7. Izenzela izibuyekezo zekhasi Isimo se-Cloudflare.

Isikhathi eside sisuka kude neLua WAF engiyibhale eminyakeni embalwa edlule. Ihambisa i-WAF ku- uhlelo olusha lwe-firewall. Ngale ndlela i-WAF izoshesha futhi ithole izinga elingeziwe lokuvikela.

isiphetho

Lokhu kwehluleka kwadala inkinga kithi nakumakhasimende ethu. Sithathe isinyathelo ngokushesha ukuze silungise isimo futhi manje sisebenzela amaphutha ezinqubweni ezibangele ukuphahlazeka, kanye nokumba sijule nakakhulu ukuze sigweme izinkinga ezingase zibe khona ngezinkulumo ezivamile esikhathini esizayo lapho sithuthela kubuchwepheshe obusha.

Sinamahloni kakhulu ngalokhu kucisha futhi siyaxolisa kumakhasimende ethu. Sithemba ukuthi lezi zinguquko zizoqinisekisa ukuthi into efana nalena ayenzeki futhi.

Isicelo. Ihlehlisa izinkulumo ezijwayelekile

Ukuze uqonde ukuthi le nkulumo:

(?:(?:"|'|]|}||d
(?:nan|infinity|true|false|null|undefined|symbol|math)|`|-
|+)+[)]*;?((?:s|-|~|!|{}||||+)*.*(?:.*=.*)))

udle zonke izinsiza ze-CPU, udinga ukwazi kancane mayelana nokuthi injini evamile yokukhuluma isebenza kanjani. Inkinga lapha iphethini .*(?:.*=.*). (?: nokuhambisana ) yiqembu elingathwebuli (okungukuthi, isisho esikubakaki siqoqwe njengesisho esisodwa).

Kumongo wokusetshenziswa ngokweqile kwe-CPU, le phethini ingachazwa ngokuthi .*.*=.*. Kuleli fomu, iphethini ibonakala iyinkimbinkimbi ngokungadingekile. Kodwa okubaluleke nakakhulu, emhlabeni wangempela, izinkulumo (njengezinkulumo eziyinkimbinkimbi emithethweni ye-WAF) ezicela injini ukuthi ifane nocezu olulandelwa olunye ucezu lungaholela ekuhlehleni okuyinhlekelele. Futhi yingakho.

Ngenkulumo evamile . kusho ukuthi udinga ukufanisa uhlamvu olulodwa, .* - fanisa izinhlamvu zero noma ngaphezulu "ngokuhaha", okungukuthi, ukuthwebula ubuningi bezinhlamvu, ukuze .*.*=.* kusho ukufanisa izinhlamvu ezinguziro noma ngaphezulu, bese uqondanisa izinhlamvu ezinguziro noma ngaphezulu, thola uhlamvu olungokoqobo =, fanisa izinhlamvu ezinguziro noma ngaphezulu.

Ake sithathe umugqa wokuhlola x=x. Ihambisana nenkulumo .*.*=.*. .*.* ngaphambi kokuthi uphawu olulinganayo lufane nelokuqala x (elinye lamaqembu .* соответствует x, kanye nezinhlamvu zesibili - zero). .* ngemva = ukufana kokugcina x.

Lokhu kuqhathanisa kudinga izinyathelo ezingama-23. Iqembu lokuqala .* в .*.*=.* yenza ngokuhaha futhi ifanisa yonke intambo x=x. Injini iya eqenjini elilandelayo .*. Asisenabo abalingisi esizofana nabo, ngakho-ke iqembu lesibili .* ifana nezinhlamvu ezinguziro (lokhu kuvunyelwe). Khona-ke injini ihamba uphawu =. Azisekho izimpawu (iqembu lokuqala .* wasebenzisa yonke inkulumo x=x), akukho ukuqhathanisa okwenzekayo.

Bese-ke injini yenkulumo evamile ibuyela ekuqaleni. Udlulela eqenjini lokuqala .* futhi uyayiqhathanisa с x= (esikhundleni se x=x), bese ithatha iqembu lesibili .*. Iqembu lesibili .* iqhathaniswa neyesibili x, futhi asinazo izinhlamvu ezisele. Futhi lapho injini ifika futhi = в .*.*=.*, akukho okusebenzayo. Aphinde ahlehle futhi.

Kulokhu iqembu .* isafana x=, kodwa iqembu lesibili .* angiphinde x, nezinhlamvu ezinguziro. Injini izama ukuthola uhlamvu lwangempela = ephethinini .*.*=.*, kodwa ayiphumi (phela, iqembu lokuqala seliyithathile .*). Futhi wenza ukuhlehla futhi.

Kulokhu iqembu lokuqala .* kuthatha kuphela owokuqala x. Kodwa iqembu lesibili .* "ngokuhaha" uyathwebula =x. Usuvele uqagele ukuthi kuzokwenzekani? Injini izama ukufanisa okwangempela =, yehluleka futhi yenza okunye ukuhlehla.

Iqembu lokuqala .* isafana neyokuqala x. Okwesibili .* kuthatha kuphela =. Yiqiniso, injini ayikwazi ukufana nengokoqobo =, ngoba iqembu lesibili selikwenzile lokhu .*. Futhi futhi ukuhlehla. Futhi sizama ukufanisa uchungechunge lwezinhlamvu ezintathu!

Ngenxa yalokho, iqembu lokuqala .* ifana neyokuqala kuphela x, okwesibili .* - enezinhlamvu ezinguziro, futhi injini ekugcineni ifana neyangempela = ekuvezeni с = emugqeni. Okulandelayo yiqembu lokugcina .* iqhathaniswa neyokugcina x.

23 izinyathelo kuphela x=x. Buka ividiyo emfushane mayelana nokusebenzisa i-Perl Regexp::Debugger, okubonisa ukuthi izinyathelo nokuhlehla kwenzeka kanjani.

Lona kakade umsebenzi omningi, kodwa kuthiwani uma esikhundleni salokho x=x sizoba nayo x=xx? Lokho yizinyathelo ezingama-33. Futhi uma x=xxx? 45. Ubudlelwano abunamugqa. Igrafu ikhombisa ukuqhathanisa kusuka x=x ukuze x=xxxxxxxxxxxxxxxxxxxx (20 x после =). Uma sino-20 x ngemuva =, injini iqeda ukufanisa ngezinyathelo ezingu-555! (Ngaphezu kwalokho, uma silahlekelwe x= futhi intambo imane iqukethe ama-20 x, injini izothatha izinyathelo ezingu-4067 ukuqonda ukuthi akukho okufanayo).

Le vidiyo ikhombisa konke ukuhlehla ukuze kuqhathaniswe x=xxxxxxxxxxxxxxxxxxxx:

Inkinga yukuthi njengoba usayizi wezintambo ukhula, isikhathi sokufanisa sikhula kakhulu. Kodwa izinto zingaba zimbi nakakhulu uma isisho esivamile sishintshwa kancane. Ake sithi besinakho .*.*=.*; (okungukuthi, bekunesemikholoni engokoqobo ekugcineni kwephethini). Isibonelo, ukufanisa isisho esifana ne foo=bar;.

Futhi lapha ukuhlehla kungaba inhlekelele yangempela. Ukuze siqhathanise x=x izothatha izinyathelo ezingu-90, hhayi ezingu-23. Futhi lelo nani likhula ngokushesha. Ukuqhathanisa x= ne-20 x, 5353 izinyathelo ezidingekayo. Nali ishadi. Bheka amanani e-eksisi Y uma kuqhathaniswa neshadi langaphambilini.

Uma uthanda, hlola zonke izinyathelo ezifanayo ezingu-5353 ezihlulekile x=xxxxxxxxxxxxxxxxxxxx и .*.*=.*;

Ngokusebenzisa ukuvilapha esikhundleni sokuhaha, izinga lokuhlehla lingalawuleka. Uma sishintsha isisho sokuqala sibe .*?.*?=.*?, ukuze siqhathanise x=x izothatha izinyathelo eziyi-11 (hhayi 23). Ngokwe x=xxxxxxxxxxxxxxxxxxxx. Konke ngoba ? после .* itshela injini ukuthi ifanise nenani elincane lezinhlamvu ngaphambi kokuthi iqhubeke.

Kodwa amamephu avilaphayo ayixazululi ngokuphelele inkinga yokuhlehla. Uma sithatha indawo yesibonelo esiyinhlekelele .*.*=.*; on .*?.*?=.*?;, isikhathi sokubulawa siyohlala sinjalo. x=x kusadingeka izinyathelo ezingama-555, futhi x= ne-20 x - 5353.

Okuwukuphela kwento engenziwa (ngaphandle kokubhala kabusha ngokuphelele iphethini ukuze uthole imininingwane ethe xaxa) ukushiya injini yenkulumo evamile ngendlela yayo yokuhlehlisa. Yilokhu esizobe sikwenza emasontweni ambalwa ezayo.

Isixazululo sale nkinga saziwa kusukela ngo-1968, lapho u-Kent Thompson ebhala isihloko Amasu Okuhlela: I-algorithm yokusesha yesisho esivamile (“Izindlela Zokuhlela: I-Algorithm Yosesho Olujwayelekile Lokubonakaliswa”). I-athikili ichaza indlela ekuvumela ukuthi uguqule isisho esivamile sibe yimishini yesimo esinqunyelwe enganqunyelwe, futhi ngemva koshintsho lwesimo emishinini yesimo esilinganiselwe esinganqunyelwe, sebenzisa i-algorithm isikhathi sayo sokwenza esincike ngokomugqa kuyunithi yezinhlamvu efanisiwe.

Izindlela Zokuhlela
I-Algorithm Yokusesha Okujwayelekile
UKen Thompson
Bell Telephone Laboratories, Inc., Murray Hill, New Jersey

Ichaza indlela yokusesha uchungechunge oluthile lwezinhlamvu embhalweni futhi idingida ukusetshenziswa kwale ndlela kufomu lomdidiyeli. Umhlanganisi uthatha isisho esivamile njengekhodi yomthombo futhi akhiqize uhlelo lwe-IBM 7094 njengekhodi yento. Uhlelo lwento luthatha okokufaka ngendlela yombhalo wosesho futhi lukhipha isignali isikhathi ngasinye lapho uchungechunge lombhalo lufaniswa nenkulumo evamile enikeziwe. Isihloko sinikeza izibonelo, izinkinga nezisombululo.

I-Algorithm
Ama-algorithm okusesha adlule aholele ekuhlehleni uma ukusesha okuphumelele kancane kuhlulekile ukukhiqiza umphumela.

Kumodi yokuhlanganiswa, i-algorithm ayisebenzi ngezimpawu. Idlulisela iziqondiso kukhodi ehlanganisiwe. Ukwenza kuyashesha kakhulu - ngemva kokudlulisa idatha phezulu ohlwini lwamanje, kusesha ngokuzenzakalelayo zonke izinhlamvu ezilandelanayo ezingaba khona enkulumweni evamile.
I-algorithm yokuhlanganisa nokusesha ifakiwe kumhleli wombhalo wokwabelana ngesikhathi njengosesho lwesimo. Yiqiniso, lokhu kude nokuphela kwesicelo senqubo yokusesha enjalo. Isibonelo, okuhlukile kwale algorithm kusetshenziswa njengosesho lophawu kuthebula ku-assembler.
Kucatshangwa ukuthi umfundi ujwayelene nezinkulumo ezivamile kanye nolimi lohlelo lwekhompyutha lwe-IBM 7094.

Umhlanganisi
Umhlanganisi uqukethe izigaba ezintathu ezisebenza ngokufana. Isigaba sokuqala siwukuhlunga kwe-syntax, okuvumela kuphela izisho ezivamile ezilungile ukuthi zidlule. Lesi sinyathelo siphinde sifake i-opharetha ethi "·" ukuze ihambisane nezinkulumo ezivamile. Esinyathelweni sesibili, isisho esivamile siguqulelwa kufomu le-postfix. Esigabeni sesithathu, kwakhiwa ikhodi yento. Izigaba ezi-2 zokuqala zisobala, futhi ngeke sigxile kuzo.

I-athikili kaThompson ayikhulumi ngemishini yesimo esinqunyelwe enganqunyelwe, kodwa ichaza i-algorithm yesikhathi somugqa kahle futhi iveza uhlelo lwe-ALGOL-60 olukhiqiza ikhodi yolimi yomhlangano ye-IBM 7094. Ukuqaliswa kuyinkimbinkimbi, kodwa umbono ulula kakhulu.

indlela yokusesha yamanje. Imelwe isithonjana esingu-⊕ esinokufaka okukodwa nokubili okuphumayo.
Umfanekiso 1 ubonisa imisebenzi yesinyathelo sesithathu sokuhlanganiswa lapho uguqula isibonelo esivamile sokukhuluma. Izinhlamvu ezintathu zokuqala kusibonelo ngu-a, b, c, futhi ngayinye idala ukufakwa kwesitaki S[i] kanye nenkambu ye-NNODE.

I-NNODE kukhodi ekhona ukuze ukhiqize isisho esivamile esiphumela ekufakweni kwesitaki esisodwa (bona Umfanekiso 5)

Yile ndlela ukusho okuvamile okungabukeka ngayo .*.*=.*, uma ucabanga njengasezithombeni ezivela esihlokweni sikaThompson.

Emfanekisweni. 0 kunezifunda ezinhlanu eziqala ku-0, kanye nemijikelezo emi-3 eqala kuzifunda 1, 2 kanye no-3. Le mijikelezo emithathu ihambisana nemithathu. .* ngenkulumo evamile. Ama-oval angu-3 anamachashazi ahambisana nophawu olulodwa. I-oval enophawu = ihambisana nohlamvu lwangempela =. State 4 is final. Uma sifinyelela kuyo, khona-ke inkulumo evamile ifaniswe.

Ukubona ukuthi umdwebo wesimo onjalo ungasetshenziswa kanjani ekufaniseni isisho esivamile .*.*=.*, sizobheka ukufanisa izintambo x=x. Uhlelo luqala ku-state 0, njengoba kuboniswe ku-Fig. 1.

Ukuze le-algorithm isebenze, umshini wombuso kufanele ube sezifundazweni eziningana ngesikhathi esisodwa. Umshini onqunyelwe onganqunyelwe uzokwenza zonke izinguquko ezingenzeka ngesikhathi esisodwa.

Ngaphambi kokuba ibe nesikhathi sokufunda idatha yokufaka, ingena kuzo zombili izifunda zokuqala (1 no-2), njengoba kuboniswe ku-Fig. 2.

Emfanekisweni. 2 ukhombisa ukuthi kwenzekani uma ebuka eyokuqala x в x=x. x ingakwazi ukubeka imephu endaweni ephezulu, ukusuka kusifunda 1 futhi ibuyele esimweni 1. Noma x angakwazi ukubeka imephu ephuzwini elingezansi, esuka kusifunda 2 abuyele esimweni sesi-2.

Ngemva kokufanisa eyokuqala x в x=x sisesesifundeni 1 no-2. Asikwazi ukufinyelela isimo 3 noma 4 ngoba sidinga umlingiswa ongokoqobo =.

I-algorithm ibe isicubungula = в x=x. Njengo-x ngaphambi kwayo, ingafaniswa nanoma yimaphi amalophu amabili aphezulu ukusuka kusifunda 1 kuya kusifunda esingu-1 noma ukusuka kusifunda 2 kuya kusifunda 2, kodwa i-algorithm ingafaniswa nengokoqobo. = futhi usuke esimweni sesi-2 uye kusifunda sesi-3 (futhi ngokushesha u-4). Lokhu kuboniswa kuFig. 3.

I-algorithm ibe isidlulela kweyokugcina x в x=x. Kusukela kuzifundazwe 1 no-2 izinguquko ezifanayo zingenzeka emuva kusifunda 1 no-2. Kusukela kusifunda sesi-3 x ingafanisa iphuzu kwesokudla bese ibuyela esimweni sesi-3.

Kulesi sigaba, umlingisi ngamunye x=x kucatshangelwe, futhi njengoba sesifinyelele isimo sesi-4, isisho esivamile sifana nalolo chungechunge. Uhlamvu ngalunye lucutshungulwa kanye, ngakho le-algorithm iwumugqa ngobude beyunithi yezinhlamvu yokufaka. Futhi akukho ukuhlehla.

Ngokusobala, ngemuva kokufinyelela isimo sesi-4 (lapho i-algorithm ifanisiwe x=) sonke isisho esivamile siyafaniswa, futhi i-algorithm ingase inqamule ngaphandle kokuyicabangela nhlobo x.

Le algorithm incike ngokomugqa kusayizi weyunithi yezinhlamvu yokufaka.

Source: www.habr.com