I-ProHoster > Блог > Ukuphatha > Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 2)

Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 2)

Sawubona!

U-Nikita unawe futhi, unjiniyela wesistimu ovela enkampanini I-SEMrush. Futhi ngalesi sihloko ngiqhubeka nendaba yokuthi siqhamuke kanjani nesixazululo sokusebenza I-Firewall yaseShayina ngenkonzo yethu semrush.com.

В ingxenye edlule Ngithe:

  • yiziphi izinkinga eziphakamayo ngemva kokwenziwa kwesinqumo “Sidinga ukwenza umsebenzi wethu usebenze eChina”
  • Yiziphi izinkinga i-inthanethi yamaShayina enazo?
  • kungani udinga ilayisense ye-ICP?
  • kanjani futhi kungani sinqume ukuhlola imibhede yethu nge-Catchpoint
  • waba yini umphumela wesixazululo sethu sokuqala esisekelwe ku-Cloudflare China Network
  • Sithole kanjani iphutha ku-Cloudflare DNS

Le ngxenye ithakazelisa kakhulu, ngokubona kwami, ngoba igxile ekusetshenzisweni okukhethekile kwesiteji. Futhi sizoqala, noma kunalokho siqhubeke, nge Alibaba Cloud.

Alibaba Cloud

Alibaba Cloud ingumhlinzeki wamafu omkhulu, onazo zonke izinsizakalo ezivumela ukuthi izibize ngokwethembeka umhlinzeki wamafu. Kuhle ukuthi banethuba lokubhalisa kubasebenzisi bangaphandle, nokuthi iningi lesayithi lihunyushwa ngesiNgisi (e-China lokhu kuwukunethezeka). Kuleli fu, ungasebenza nezifunda eziningi zomhlaba, izwe laseChina, kanye ne-Oceanic Asia (Hong Kong, Taiwan, njll.).

IPSEC

Saqala nge geography. Njengoba isayithi lethu lokuhlola laliku-Google Cloud, kwakudingeka "sixhumanise" i-Alibaba Cloud ne-GCP, ngakho-ke sivule uhlu lwezindawo i-Google ekhona. Ngaleso sikhathi babengakabi nesikhungo sabo sedatha e-Hong Kong.
Isifunda esiseduze saba Asia-mpumalanga1 (Taiwan). I-Ali yaba isifunda esiseduzane kakhulu nezwe laseChina eTaiwan cn-shenzhen (Shenzhen).

Ngosizo luka terraform ichaze futhi yaphakamisa yonke ingqalasizinda ku-GCP nase-Ali. Umhubhe ongu-100 Mbit/s phakathi kwamafu wenyuka cishe ngokushesha. Ngasohlangothini lwe-Shenzhen ne-Taiwan, imishini ye-proxying virtual yaphakanyiswa. E-Shenzhen, ithrafikhi yabasebenzisi iyanqanyulwa, ifakwe emhubheni oya e-Taiwan, futhi ukusuka lapho iya ngqo ku-IP yangaphandle yesevisi yethu us-empumalanga (USA East Coast). I-ping phakathi kwemishini ebonakalayo ngomhubhe Ama-24ms, okungekubi kangako.

Ngesikhathi esifanayo, sabeka indawo yokuhlola kuyo I-Alibaba Cloud DNS. Ngemva kokudlulisela indawo ku-NS Ali, isikhathi sokuxazulula sehlile sisuka ku-470 ms kuya I-50 ms. Ngaphambi kwalokhu, indawo yayiku-Cloudlfare.

Ngokuhambisana nomhubhe kuya Asia-mpumalanga1 waphakamisa omunye umhubhe kusukela Shenzhen ngqo us-empumalanga4. Lapho, bakha imishini ebonakalayo ye-proxy futhi baqala ukuhlola zombili izixazululo, behambisa ithrafikhi yokuhlola besebenzisa Amakhukhi noma i-DNS. Ibhentshi lokuhlola lichazwe ngokohlelo emfanekisweni olandelayo:

Ukubambezeleka kwemigudu kuvele kanje:
Ali cn-shenzhen <—> GCP asia-east1 — 24ms
Ali cn-shenzhen <—> GCP us-east4 — 200ms

Ukuhlolwa kwesiphequluli se-Catchpoint kubike ukuthuthuka okuhle kakhulu.

Qhathanisa imiphumela yokuhlolwa yezixazululo ezimbili:

Isixazululo
Isikhathi sokuphumula
Median
Amaphesenti angama-75
Amaphesenti angama-95

I-Cloudflare
86.6
18s
30s
60s

I-IPsec
99.79
18s
21s
30s

Lena idatha evela kusixazululo esisebenzisa umhubhe we-IPSEC nge Asia-mpumalanga1. Ngokusebenzisa us-east4 imiphumela yaba mibi kakhulu, futhi bekunamaphutha amaningi, ngakho-ke ngeke nginikeze imiphumela.

Ngokusekelwe emiphumeleni yalokhu kuhlolwa kwemihubhe emibili, eyodwa enqanyuliwe endaweni eseduze neChina, kanti enye endaweni yokugcina, kwacaca ukuthi kubalulekile “ukuphuma” ngaphansi kwe-firewall yaseShayina ngokushesha ngangokunokwenzeka. kungenzeka, bese usebenzisa amanethiwekhi asheshayo (abahlinzeki be-CDN , abahlinzeki bamafu, njll.). Asikho isidingo sokuzama ukungena ku-firewall futhi ufike lapho uya khona ngokuphazima kweso. Lena akuyona indlela eshesha kakhulu.

Ngokuvamile, imiphumela ayimibi, nokho, i-semrush.com ine-median engu-8.8s, kanye ne-75 Percentile 9.4s (esivivinyweni esifanayo).
Futhi ngaphambi kokuba ngiqhubekele phambili, ngingathanda ukwenza ukuhlehla okufushane kwengoma.

Ukudonsa phansi kweLyrical

Ngemuva kokuthi umsebenzisi engena kusayithi www.semrushchina.cn, exazulula ngamaseva e-DNS “esheshayo” e-Chinese, isicelo se-HTTP sidlula kusixazululo sethu esisheshayo. Impendulo ibuyiselwa ngendlela efanayo, kodwa isizinda sicaciswe kuzo zonke izikripthi ze-JS, amakhasi e-HTML nezinye izici zekhasi lewebhu. semrush.com ngezinsiza ezengeziwe okufanele zilayishwe lapho ikhasi linikezwa. Okusho ukuthi, iklayenti lixazulula "irekhodi" eliyinhloko www.semrushchina.cn bese ingena emhubheni osheshayo, ngokushesha ithola impendulo - ikhasi le-HTML elithi:

  • landa okuthi nalokhu ku-sso.semrush.com,
  • Thola amafayela e-CSS ku-cdn.semrush.com,
  • futhi uthathe izithombe ezithile ku-dab.semrush.com
  • nokunye.

Isiphequluli siqala ukuya ku-inthanethi "yangaphandle" yalezi zinsiza, isikhathi ngasinye sidlula ku-firewall edla isikhathi sokuphendula.

Kodwa ukuhlolwa kwangaphambilini kubonisa imiphumela uma zingekho izinsiza ekhasini semrush.comkuphela semrushchina.cn, futhi *.semrushchina.cn ixazulula ekhelini lomshini obonakalayo e-Shenzhen ukuze bese ungena emhubheni.

Kungale ndlela kuphela, ngokucindezela yonke i-traffic engenzeka ibe phezulu ngesixazululo sakho sokudlula ngokushesha i-firewall yaseShayina, ungathola isivinini esamukelekayo nezinkomba zokutholakala kwewebhusayithi, kanye nemiphumela ethembekile yokuhlolwa kwesixazululo.
Senze lokhu ngaphandle kokuhlela okukodwa kwekhodi ngasohlangothini lomkhiqizo weqembu.

Isihlungi esingaphansi

Isixazululo sazalwa cishe ngokushesha ngemva kokuvela kwale nkinga. Besikudinga I-PoC (Ubufakazi Bengqondo) bokuthi izixazululo zethu zokungena ngohlelo lokuvikela zisebenza kahle ngempela. Ukuze wenze lokhu, udinga ukugoqa yonke ithrafikhi yesayithi kulesi sixazululo ngangokunokwenzeka. Futhi safaka isicelo isihlungi esingaphansi kwe nginx.

Isihlungi esingaphansi iyimojula elula ku-nginx ekuvumela ukuthi uguqule umugqa owodwa emzimbeni wokuphendula uye komunye umugqa. Ngakho sashintsha zonke izehlakalo semrush.com on semrushchina.cn kuzo zonke izimpendulo.

Futhi... akusebenzanga ngoba sithole okuqukethwe okucindezelwe okuvela kuma-backend, ngakho-ke isihlungi esingaphansi asiwutholanga umugqa odingekayo. Kwadingeka ngengeze enye iseva yendawo ku-nginx, eyanciphisa impendulo futhi yadlulisela kuseva yendawo elandelayo, eyayivele imatasa ishintsha intambo, iyicindezela, futhi iyithumela kuseva elibamba elilandelayo kuketango.

Ngenxa yalokho, iklayenti lizothola kuphi .semrush.com, wamukela .semrushchina.cn futhi ngokulalela wahamba esinqumweni sethu.

Kodwa-ke, akwanele ukumane uguqule isizinda ngendlela eyodwa, ngoba abangemuva basalindele i-semrush.com ezicelweni ezilandelayo ezivela kuklayenti. Ngakho-ke, kuseva efanayo lapho ukushintshwa kwendlela eyodwa kwenziwa, kusetshenziswa isisho esivamile esivamile sithola isizinda esingaphansi kwesicelo, bese sikwenza. i-proxy_pass ngokuguquguquka $umbungazi, kukhonjiswe ku $subdomain.semrush.com. Kungase kubonakale kudida, kodwa kuyasebenza. Futhi isebenza kahle. Ezizindeni ezingazodwana ezidinga ukuqonda okuhlukile, mane udale amabhlogo eseva yakho bese wenza ukucushwa okuhlukile. Ngezansi kufinyeziwe izilungiselelo ze-nginx ukuze kucace futhi kuboniswe lolu hlelo.

I-config elandelayo icubungula zonke izicelo ezivela e-China kuye .semrushchina.cn: 

    listen 80;

    server_name ~^(?<subdomain>[w-]+).semrushchina.cn$;

    sub_filter '.semrush.com' '.semrushchina.cn';
    sub_filter_last_modified on;
    sub_filter_once off;
    sub_filter_types *;

    gzip on;
    gzip_proxied any;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;

    location / {
        proxy_pass http://127.0.0.1:8083;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $subdomain.semrush.com;
        proxy_set_header X-Accept-Encoding $http_accept_encoding;
    }
}

Lokhu kulungiselela ama-proxies okuthi localhost ukuya ku-port 83, futhi ukulungiselelwa okulandelayo kulindile lapho:

    listen 127.0.0.1:8083;

    server_name *.semrush.com;

    location / {
        resolver 8.8.8.8 ipv6=off;
        gunzip on;
        proxy_pass https://$host;
        proxy_set_header Accept-Encoding gzip;
    }
}

Ngiyaphinda, lawa ama-configs asikiwe.

Kanjalo. Kungase kubonakale kuyinkimbinkimbi, kodwa ngamazwi. Eqinisweni, yonke into ilula kunamathenisi ashubile :)

Ukuphela kokuhlehla

Isikhathi esithile sasijabule ngoba inganekwane mayelana nokuwa kwemihubhe ye-IPSEC ayizange iqinisekiswe. Kodwa-ke imigudu yaqala ukuwa. Izikhathi eziningana ngosuku imizuzu embalwa. Kancane, kodwa lokho akuzange kusifanele. Njengoba womabili amathaneli anqanyuliwe ohlangothini lwe-Ali kumzila ofanayo, sinqume ukuthi mhlawumbe lena inkinga yesifunda futhi sidinga ukukhulisa isifunda sokulondoloza.

Bayicoshe. Amahubhe aqale ukwehluleka ngezikhathi ezihlukene, kodwa i-faillover isisebenzele kahle ezingeni eliphezulu lomfula ku-nginx. Kodwa-ke imigudu yaqala ukuwa cishe ngesikhathi esifanayo 🙂 Kwaqala futhi u-502 no-504. Isikhathi saqala ukuwohloka, ngakho-ke saqala ukusebenza kunketho nge. Alibaba CEN (I-Cloud Enterprise Network).

Centres

Centres - lokhu ukuxhumana kwama-VPC amabili avela ezifundeni ezahlukahlukene ngaphakathi kwe-Alibaba Cloud, okungukuthi, ungaxhuma amanethiwekhi ayimfihlo anoma yiziphi izifunda ngaphakathi kwefu nomunye. Futhi okubaluleke kakhulu: lesi siteshi sinomthetho oqinile I-SLA. Izinzile kakhulu ngesivinini kanye nesikhathi. Kodwa akulula kangako:

  • KUNZIMA kakhulu ukukuthola uma ungesona izakhamizi zaseShayina noma inhlangano esemthethweni,
  • Udinga ukukhokhela i-megabit ngayinye yomkhawulokudonsa wesiteshi.

Ukuba nethuba lokuxhuma I-Mainland China и Overseas, sidale i-CEN phakathi kwezifunda ezimbili ze-Ali: cn-shenzhen и us-empumalanga-1 (indawo eseduze nathi-empumalanga4). Ku-Ali us-empumalanga-1 iphakamise omunye umshini we-virtual ukuze kube khona omunye futhi hop.

Kwavela kanje:

Imiphumela yokuhlolwa kwesiphequluli ingezansi:

Isixazululo
Isikhathi sokuphumula
Median
Amaphesenti angama-75
Amaphesenti angama-95

I-Cloudflare
86.6
18s
30s
60s

I-IPsec
99.79
18s
21s
30s

Centres
99.75
16s
21s
27s

Ukusebenza kungcono kancane kune-IPSEC. Kodwa nge-IPSEC ungakwazi ukulanda ngesivinini esingu-100 Mbit/s, futhi nge-CEN kuphela ngesivinini esingu-5 Mbit/s nangaphezulu.

Kuzwakala njengehybrid, akunjalo? Hlanganisa isivinini se-IPSEC nokuzinza kwe-CEN.

Yilokhu esikwenzile, sivumela ithrafikhi nge-IPSEC kanye ne-CEN uma kwenzeka ukwehluleka komhubhe we-IPSEC. I-Uptime isiphezulu kakhulu, kepha isivinini sokulayisha isayithi sisashiya okuningi okufanele sikufune. Ngabe sengidweba wonke amasekethe ebesivele siwasebenzisile futhi sawahlola, ngase nginquma ukuzama ukwengeza i-GCP eyengeziwe kulesi sifunda, okungukuthi. I-GLB.

I-GLB

I-GLB Ingabe I-Global Load Balancer (noma i-Google Cloud Load Balancer). Inenzuzo ebalulekile kithi: kumongo we-CDN enayo anycast IP, okukuvumela ukuthi uhambise ithrafikhi esikhungweni sedatha esiseduze neklayenti, ukuze ithrafikhi isheshe ingene kunethiwekhi esheshayo ye-Google futhi kancane idlule ku-inthanethi "evamile".

Ngaphandle kokucabanga kabili, saphakamisa I-HTTP/HTTPS LB Sifake imishini yethu ebonakalayo ngesihlungi esingaphansi ku-GCP nanjenge-backend.

Kwakukhona izikimu eziningana:

  • Sebenzisa Cloudflare China Network, kodwa kulokhu i-Origin kufanele icacise umhlaba wonke IP GLB.
  • Qeda amaklayenti ngo cn-shenzhen, futhi ukusuka lapho ummeleli wethrafikhi uqonde ngqo I-GLB.
  • Hamba ngqo usuka eChina uye I-GLB.
  • Qeda amaklayenti ngo cn-shenzhen, kusuka lapho ummeleli kuya Asia-mpumalanga1 nge-IPSEC (in us-empumalanga4 nge-CEN), ukusuka lapho uye ku-GLB (ngokuzola, kuzoba nesithombe nencazelo ngezansi)

Sihlole zonke lezi zinketho nezinye ezimbalwa ezihlanganisiwe:

  • Cloudflare + GLB

Lolu hlelo aluzange lusifanele ngenxa yamaphutha wesikhathi esibekiwe kanye namaphutha e-DNS. Kodwa ukuhlolwa kwenziwa ngaphambi kokuthi iphutha lilungiswe ohlangothini lwe-CF, mhlawumbe kungcono manje (noma kunjalo, lokhu akubandakanyi ukuphela kwesikhathi kwe-HTTP).

  • U-Ali + GLB

Lolu hlelo aluzange luhambisane nathi ngokwesikhathi sokuphumula, ngoba i-GLB yayivame ukuwela phezulu ngenxa yokungakwazi ukuxhuma ngesikhathi noma isikhathi esamukelekayo, ngoba kuseva engaphakathi kweChina, ikheli le-GLB lihlala ngaphandle, ngakho-ke ngemuva I-firewall yaseShayina. Umlingo akwenzekanga.

  • I-GLB kuphela

Inketho efana neyangaphambili, kuphela ayizange isebenzise amaseva e-China ngokwayo: ithrafikhi yaya ngqo ku-GLB (amarekhodi e-DNS ashintshiwe). Ngakho-ke, imiphumela ayizange igculise, njengoba amaklayenti ajwayelekile aseShayina asebenzisa izinsizakalo zabahlinzeki be-inthanethi abajwayelekile anesimo esibi kakhulu ngokudlula i-firewall kune-Ali Cloud.

  • I-Shenzhen -> (CEN/IPSEC) -> Ummeleli -> GLB

Lapha sinqume ukusebenzisa izisombululo ezinhle kunazo zonke:

  • ukuzinza kanye ne-SLA eqinisekisiwe evela ku-CEN
  • isivinini esikhulu esivela ku-IPSEC
  • Inethiwekhi "esheshayo" ye-Google kanye nanoma yikuphi ukusakaza kwayo.

Uhlelo lubukeka kanje: ithrafikhi yomsebenzisi inqanyuliwe emshinini obonakalayo ch-shenzhen. Ama-Nginx akhuphukayo alungiswa lapho, amanye akhomba kumaseva e-IP ayimfihlo atholakala ngakolunye uhlangothi lomhubhe we-IPSEC, kanti amanye akhuphukayo akhomba amakheli ayimfihlo amaseva ngakolunye uhlangothi lwe-CEN. I-IPSEC ilungiselelwe isifunda Asia-mpumalanga1 ku-GCP (kwakuyisifunda esiseduze kakhulu ne-China ngesikhathi kwakhiwa isisombululo. I-GCP manje isikhona e-Hong Kong). CEN - ukuya esifundeni us-empumalanga1 ku-Ali Cloud.

Kwabe sekuqondiswa ithrafikhi ephuma kuzo zombili iziphetho anycast IP GLB, okungukuthi, endaweni eseduze yokuba khona kwe-Google, futhi yadlula kumanethiwekhi ayo eya esifundeni us-empumalanga4 ku-GCP, lapho bekunemishini ebonakalayo eshintshayo (ene-subfilter ku-nginx).

Lesi sixazululo esiyingxubevange, njengoba besilindele, sasebenzisa inzuzo yobuchwepheshe obunye. Ngokuvamile, ithrafikhi ihamba nge-IPSEC esheshayo, kodwa uma izinkinga ziqala, ngokushesha nangemizuzu embalwa sikhahlela lawa maseva ngaphandle komfula futhi sithumele ithrafikhi kuphela nge-CEN kuze kube yilapho umhubhe uzinza.

Ngokusebenzisa isisombululo sesi-4 ohlwini olungenhla, sizuze ebesikufuna kanye nalokho ibhizinisi elikudinga kithi ngaleso sikhathi.

Imiphumela yokuhlolwa kwesiphequluli yesixazululo esisha uma iqhathaniswa neyangaphambilini:

Isixazululo
Isikhathi sokuphumula
Median
Amaphesenti angama-75
Amaphesenti angama-95

I-Cloudflare
86.6
18s
30s
60s

I-IPsec
99.79
18s
21s
30s

Centres
99.75
16s
21s
27s

CEN/IPsec + GLB
99.79
13s
16s
25s

CDN

Konke kuhle esixazululweni esisisebenzisile, kodwa ayikho i-CDN engasheshisa ukuhamba kwezimoto ezingeni lesifunda ngisho nedolobha. Ngokombono, lokhu kufanele kusheshise isayithi kubasebenzisi bokugcina ngokusebenzisa iziteshi zokuxhumana ezisheshayo zomhlinzeki we-CDN. Futhi sasicabanga ngakho ngaso sonke isikhathi. Futhi manje, isikhathi sesifikile sokuphindwaphindwa okulandelayo kwephrojekthi: ukusesha nokuhlola abahlinzeki be-CDN e-China.

Futhi ngizokutshela ngalokhu engxenyeni elandelayo, yokugcina :)

Source: www.habr.com

Engeza amazwana