I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 3)

Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 3)

Sawubona!
Zonke izindaba ezinhle ziyaphela. Futhi indaba yethu yokuthi siqhamuke kanjani nesixazululo sokudlula ngokushesha i-Firewall yaseShayina ayihlukile. Ngakho-ke, ngiphuthuma ukwabelana nawe okokugcina, ingxenye yokugcina kulesi sihloko.

Engxenyeni edlule sikhulume ngamabhentshi amaningi okuhlola esiqhamuke nawo nokuthi anikeze miphumela miphi. Futhi sazinza kulokho okungaba kuhle ukukwengeza CDN! ukuze uthole i-viscosity ohlelweni lwethu.

Ngizokutshela ukuthi siyihlole kanjani i-Alibaba Cloud CDN, i-Tencent Cloud CDN ne-Akamai, nokuthi siphetheni. Futhi-ke, ake sifinyeze.

Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 3)

I-Alibaba Cloud CDN

Sisingethwe ku-Alibaba Cloud futhi sisebenzisa i-IPSEC ne-CEN kubo. Kungaba okunengqondo ukuzama izixazululo zabo kuqala.

I-Alibaba Cloud inezinhlobo ezimbili zomkhiqizo ezingasifanela: CDN ΠΈ I-CDDN. Inketho yokuqala i-CDN yakudala yesizinda esithile (isizinda esingaphansi). Inketho yesibili imele Umzila Onamandla we-CDN (Ngiyibiza nge-Dynamic CDN), inganikwa amandla kumodi yesayithi Egcwele (ezizinda ze-wildcard), futhi igcina okuqukethwe okumile futhi isheshise okuqukethwe okuguquguqukayo kuyona, okungukuthi, ukuguquguquka kwekhasi nakho kuzolayishwa ngomhlinzeki amanethiwekhi asheshayo. Lokhu kubalulekile kithi, ngoba ngokuyisisekelo isayithi lethu linamandla, lisebenzisa izizinda ezingaphansi eziningi, futhi kulula kakhulu ukusetha i-CDN kanye "yenkanyezi" - *.semrushchina.cn.

Sasivele siwubonile lo mkhiqizo ezinyathelweni zangaphambili zephrojekthi yethu yesiShayina, kodwa-ke yayingakasebenzi, futhi abathuthukisi bathembisa ukuthi umkhiqizo uzotholakala maduze kuwo wonke amakhasimende. Futhi wenza.

Ku-DCN ungakwazi:

  • lungisa ukuphela kwe-SSL nesitifiketi sakho,
  • vumela ukusheshisa kokuqukethwe okunamandla,
  • lungisa kalula ukulondolozwa kwesikhashana kwamafayela amile,
  • hlanza i-cache,
  • phambili amasokhethi ewebhu,
  • vumela ukucindezelwa kanye ne-HTML Beautifier.

Ngokuvamile, yonke into iyafana nabantu abadala nabahlinzeki abakhulu be-CDN.

Ngemuva kokuthi i-Origin (indawo lapho iziphakeli zonqenqema ze-CDN zizoya khona) isicacisiwe, okusele nje ukudala i-CNAME yenkanyezi, ireferensi. all.semrushchina.cn.w.kunluncan.com (le CNAME yamukelwe kukhonsoli ye-Alibaba Cloud) futhi i-CDN izosebenza.

Ngokusekelwe emiphumeleni yokuhlolwa, le CDN isisize kakhulu. Izibalo zikhonjiswe ngezansi.

Isixazululo
Isikhathi sokuphumula
Median
Amaphesenti angama-75
Amaphesenti angama-95

I-Cloudflare
86.6
18s
30s
60s

I-IPsec
99.79
18s
21s
30s

Centres
99.75
16s
21s
27s

CEN/IPsec + GLB
99.79
13s
16s
25s

U-Ali CDN + CEN/IPsec + GLB
99.75
10s
12.8s
17.3s

Lena imiphumela emihle kakhulu, ikakhulukazi uma uyiqhathanisa nalokho izinombolo ebezikhona ekuqaleni. Kodwa sasazi ukuthi ukuhlolwa kwesiphequluli senguqulo yaseMelika yewebhusayithi yethu ethi www.semrush.com iqala e-USA ngesilinganiso esingu-8.3s (inani elicishe lilingane). Kukhona indawo yokuthuthukisa. Ngaphezu kwalokho, bekukhona nabahlinzeki be-CDN abebethakasela ukuhlola.

Ngakho-ke siqhubekela phambili ngokushelela kwesinye isiqhwaga emakethe yaseChina - Tencent.

Tencent Cloud

I-Tencent isanda kuthuthukisa ifu layo - lokhu kungabonakala enanini elincane lemikhiqizo. Ngenkathi siyisebenzisa, besingafuni ukuhlola i-CDN yabo kuphela, kodwa nengqalasizinda yenethiwekhi yabo iyonke:

  • banento efana ne-CEN?
  • Isebenza kanjani i-IPSEC kubo? Ingabe kuyashesha, sithini isikhathi?
  • banayo i-Anycast?

Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 3)

Ake sibheke le mibuzo ngokwehlukana.

I-Analogue CEN

I-Tencent inomkhiqizo Cloud Connect Network (CCN), okukuvumela ukuthi uxhume ama-VPC avela ezifundeni ezahlukahlukene, okubandakanya izifunda ngaphakathi nangaphandle kweChina. Umkhiqizo manje uku-beta yangaphakathi, futhi udinga ukudala ithikithi ucela ukuxhuma kuwo. Sifunde ekusekelweni ukuthi ama-akhawunti omhlaba (asikhulumi ngezakhamizi zase-China noma izinhlangano ezisemthethweni) awakwazi ukubamba iqhaza kuhlelo lokuhlola i-beta futhi, ngokuvamile, axhume isifunda esingaphakathi kwe-China nesifunda esingaphandle. 1-0 ivuna u-Ali Cloud

IPSEC

Isifunda esiseningizimu ye-Tencent yi I-Guangzhou. Sihlanganise umhubhe futhi sawuxhuma esifundeni sase-Hong Kong ku-GCP (khona-ke lesi sifunda sase sivele sitholakala). Umhubhe wesibili e-Ali Cloud osuka e-Shenzhen uya e-Hong Kong nawo uphakanyiswe ngasikhathi sinye. Kuvele ukuthi ngenethiwekhi ye-Tencent ukubambezeleka ukuya e-Hong Kong ngokuvamile kungcono (10ms) kunokusuka e-Shenzhen kuya e-Hong Kong kuya ku-Ali (120ms - ini?). Kodwa lokhu akuzange kusheshise nganoma iyiphi indlela umsebenzi wesiza okuhloswe ngaso ukusebenza nge-Tencent kanye nalo mhubhe, wona ngokwawo owawuyiqiniso elimangalisayo futhi waphinda wafakazela lokhu okulandelayo: i-latency - e-China lokhu akuyona inkomba ebaluleke ngempela. ukunaka lapho wenza isixazululo sokudlulisa i-firewall yaseShayina.

I-Anycast Internet Acceleration

Omunye umkhiqizo okuvumela ukuthi usebenze nge-IP anycast AIA. Kodwa futhi ayitholakali kuma-akhawunti omhlaba, ngakho-ke ngeke ngikutshele ngakho, kodwa ukwazi ukuthi umkhiqizo onjalo ukhona kungase kube usizo.

Kepha ukuhlolwa kwe-CDN kubonise imiphumela ethokozisayo. I-CDN ka-Tencent ayikwazi ukunikwa amandla kusayithi eligcwele, kuphela ezizindeni ezithile. Sakhe izizinda futhi sathumela ithrafikhi kuzo:

Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 3)

Kuvele ukuthi le CDN inomsebenzi olandelayo: I-Cross Border Traffic Optimization. Lesi sici kufanele sehlise izindleko uma ithrafikhi idlula ku-firewall yase-China. Njengoba Origin Ikheli lasesizindeni se-inthanethi le-Google GLB (GLB anycast) licacisiwe. Ngakho, besifuna ukwenza lula ukwakheka kwephrojekthi.

Imiphumela yayimihle kakhulu - ezingeni lika-Ali Cloud CDN, futhi kwezinye izindawo kangcono nakakhulu. Lokhu kuyamangaza, ngoba uma ukuhlolwa kuphumelele, ungashiya ingxenye ebalulekile yengqalasizinda, imigudu, i-CEN, imishini ebonakalayo, njll.

Asizange sijabule isikhathi eside, njengoba inkinga yavezwa: ukuhlolwa ku-Catchpoint kwehlulekile kumhlinzeki we-inthanethi i-China Mobile. Kusukela kunoma iyiphi indawo sithole ukuphela kwesikhathi nge-CDN ka-Tencent. Ukuxhumana nokusekelwa kwezobuchwepheshe akuzange kuholele kunoma yini. Sazama ukuxazulula le nkinga isikhathi esingangosuku, kodwa lutho.

Bengise-China ngaleso sikhathi, kodwa angikwazanga ukuthola i-Wi-Fi yomphakathi kunethiwekhi yalo mhlinzeki ukuze ngiqinisekise inkinga mathupha. Ngale kwalokho konke kwakubukeka kushesha futhi kukuhle.
Kodwa-ke, ngenxa yokuthi i-China Mobile ingenye yabaqhubi abathathu abakhulu, saphoqeleka ukuthi sibuyisele ithrafikhi ku-Ali CDN.
Kodwa sekukonke, lesi bekuyisixazululo esithokozisayo esifanele ukuhlolwa nokuxazululwa kwezinkinga isikhathi eside.

Akamai

Umhlinzeki wokugcina we-CDN esimhlolile kwaba Akamai. Lona umhlinzeki omkhulu onenethiwekhi yawo e-China. Yebo, asikwazanga ukudlula kukho.

Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 3)

Kusukela ekuqaleni, savumelana no-Akamai isikhathi sesilingo ukuze sikwazi ukushintsha isizinda futhi sibone ukuthi sizosebenza kanjani kunethiwekhi yabo. Ngizochaza umphumela wakho konke ukuhlolwa ngendlela ethi "Engikuthandile" kanye "Lokho engingakuthandanga," futhi ngizonikeza nemiphumela yokuhlolwa.

Engikuthandile:

  • Abafana base-Akamai babewusizo kakhulu kuyo yonke imibuzo futhi behamba nathi kuzo zonke izigaba zokuhlolwa. Sasilokhu sizama ukuthuthukisa okuthile ngasohlangothini lwethu. Banikeza izeluleko ezinhle zobuchwepheshe.
  • I-Akamai ihamba kancane ngo-10-15% kunesixazululo sethu nge-Ali Cloud CDN. Okuhlaba umxhwele ukuthi ku-Origin for Akamai sicacise ikheli le-IP le-GLB, okusho ukuthi ithrafikhi ayizange idlule esixazululweni sethu (okungenzeka sishiye ingxenye yengqalasizinda). Kodwa noma kunjalo, imiphumela yokuhlolwa ibonise ukuthi lesi sixazululo sibi kunenguqulo yethu yamanje (imiphumela yokuqhathanisa ngezansi).
  • Ihlolwe kokubili Umsuka we-GLB kanye ne-Origin e-China. Zombili izinketho zicishe zifane.
  • Zikhona Umzila oqinisekile (ukwenza umzila okuzenzakalelayo). Ungasingatha into yokuhlola kokuthi Origin, futhi amaseva e-Akamai Edge azozama ukuyithatha (i-GET evamile). Kulezi zicelo, isivinini namanye ama-metrics ayalinganiswa, ngokusekelwe kulokho inethiwekhi ye-Akamai ethuthukisa imizila ukuze ithrafikhi ihambe ngokushesha kusayithi lethu futhi kwacaca ukuthi ukunika lesi sici amandla ngempela kube nomthelela onamandla esivinini sesayithi.
  • Ukwenza inguqulo yokucushwa kusixhumi esibonakalayo sewebhu kuhle. Ungenza Qhathanisa izinguqulo, bheka diff. Buka izinguqulo ezedlule.
  • Ungakwazi ukukhipha inguqulo entsha kuqala kuphela kunethiwekhi ye-Akamai Staging - inethiwekhi efanayo njengokukhiqiza, ngale ndlela kuphela ngeke kuthinte abasebenzisi bangempela. Kulolu hlolo, udinga ukukhohlisa amarekhodi e-DNS emshinini wangakini.
  • Isivinini sokulanda esisheshayo ngenethiwekhi yabo kumafayela amakhulu amile, futhi, ngokusobala, nanoma yimaphi amanye amafayela. Ifayela elisuka kunqolobane "ebandayo" libuyiswa ngokushesha izikhathi eziningi kunefayela elifanayo kunqolobane "ebandayo" ye-Ali CDN. Kusuka kunqolobane "eshisayo", ijubane selivele lifana, ukuhlanganisa noma ukususa.

Ukuhlolwa kwe-Ali CDN:

root@shenzhen1:~# curl -o /dev/null -w@curl_time https://en.semrushchina.cn/my_reports/build/scripts/simpleInit.js?v=1551879212
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5757k    0 5757k    0     0   513k      0 --:--:--  0:00:11 --:--:--  526k
time_namelookup:  0.004286
time_connect:  0.030107
time_appconnect:  0.117525
time_pretransfer:  0.117606
time_redirect:  0.000000
time_starttransfer:  0.840348
----------
time_total:  11.208119
----------
size_download:  5895467 Bytes
speed_download:  525999.000B/s

Ukuhlolwa kwe-Akamai:

root@shenzhen1:~# curl -o /dev/null -w@curl_time https://www.semrushchina.cn/my_reports/build/scripts/simpleInit.js?v=1551879212
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5757k    0 5757k    0     0  1824k      0 --:--:--  0:00:03 --:--:-- 1825k
time_namelookup:  0.509005
time_connect:  0.528261
time_appconnect:  0.577235
time_pretransfer:  0.577324
time_redirect:  0.000000
time_starttransfer:  1.327013
----------
time_total:  3.154850
----------
size_download:  5895467 Bytes
speed_download:  1868699.000B/s

Siqaphele ukuthi isimo esikulesi sibonelo esingenhla sincike ezintweni ezihlukahlukene. Ngesikhathi sokubhala leli phuzu, ngiphinde ngagijima ukuhlolwa. Imiphumela yazo zombili izinkundla ibicishe ifane. Lokhu kusitshela ukuthi i-inthanethi e-China, ngisho naku-opharetha abakhulu nabahlinzeki bamafu, iziphatha ngendlela ehlukile ngezikhathi ezithile.

Ephuzwini langaphambilini, ngizongeza ukuhlanganisa okukhulu kwe-Akamai: uma u-Ali ebonisa ukukhanya okufanayo kokusebenza okuphezulu nokusebenza okuphansi kakhulu (lokhu kusebenza ku-Ali CDN, u-Ali CEN, no-Ali IPSEC), bese kuba u-Akamai, ngaso sonke isikhathi, akunandaba. ngivivinya kanjani inethiwekhi yabo, yonke into isebenza ngokuzinzile.
I-Akamai inokufakwa okuningi e-China futhi isebenza ngabahlinzeki abaningi.

Engingakuthandanga:

  • Angiyithandi i-web interface kanye nendlela esebenza ngayo - imbi kakhulu. Kodwa ngokuyisisekelo uyajwayela (mhlawumbe).
  • Imiphumela yokuhlolwa mibi kunesayithi lethu.
  • Kunamaphutha amaningi ngesikhathi sokuhlolwa kunasesayithini yethu (isikhathi sokuphumula esingezansi).
  • Asinawo amaseva ethu e-DNS e-China. Ngakho-ke kunamaphutha amaningi ekuhlolweni ngenxa ye-DNS yokuxazulula ukuphela kwesikhathi.
  • Abanikezi ngobubanzi babo be-IP -> ayikho indlela yokubhalisa okuyiyonayona set_real_ip_from kumaseva ethu.

Amamethrikhi (~3626 uyagijima; wonke amamethrikhi ngaphandle kwe-Uptime, ku-ms; izibalo zesikhathi esisodwa):

Umhlinzeki we-CDN
Median
75%
95%
Imphendvulo
Impendulo Yekhasi Lewebhu
Isikhathi sokuphumula
DNS
Xhuma
Linda
Layisha
I-SSL

I-AliCDN
9195
10749
17489
1,715
10,745
99.531
57
17
927
479
200

Akamai
9783
11887
19888
2,352
11,550
98.980
424
91
1408
381
50

Ukusatshalaliswa nge-Percentile (ku-ms):

I-Percentile
Akamai
I-AliCDN

10
7,092
6,942

20
7,775
7,583

30
8,446
8,092

40
9,146
8,596

50
9,783
9,195

60
10,497
9,770

70
11,371
10,383

80
12,670
11,255

90
15,882
13,165

100
91,592
91,596

Isiphetho yilesi: inketho ye-Akamai iyasebenza, kodwa ayinikezi ukuzinza okufanayo nesivinini njengesixazululo sethu esihlanganiswe ne-Ali CDN.

Amanothi amancane

Ezinye izikhathi azizange zifakwe endabeni, kodwa ngingathanda ukubhala ngazo futhi.

I-Beijing + Tokyo ne-Hong Kong

Njengoba ngishilo ngenhla, sihlole umhubhe we-IPSEC oya e-Hong Kong (HK). Kodwa siphinde sahlola i-CEN kuya ku-HK. Ibiza kancane, futhi bengizibuza ukuthi izosebenza kanjani phakathi kwamadolobha anebanga elingu ~100 km. Kuvele kuthakazelisa ukuthi ukubambezeleka phakathi kwalawa madolobha kuphakeme ngo-100ms kunenguqulo yethu yasekuqaleni (eya e-Taiwan). Isivinini, ukuzinza bekungcono e-Taiwan. Njengomphumela, sishiye i-HK njengendawo eyisipele ye-IPSEC.

Ngaphezu kwalokho, sizame ukufaka ukufakwa okulandelayo:

  • ukuqedwa kwamakhasimende eBeijing,
  • IPSEC kanye ne-CEN ukuya eTokyo,
  • ku-Ali CDN iseva ese-Beijing ikhonjiswe njengomsuka.

Lolu hlelo lwalungazinzile kangako, nakuba ngokwejubane ngokuvamile lwalungekho ngaphansi kwesixazululo sethu. Ngokuqondene nomhubhe, ngibone ukwehla ngezikhathi ezithile ngisho naku-CEN, okufanele uzinze. Ngakho-ke, sibuyele esikimini esidala futhi sahlakaza lesi siteji.

Ngezansi kunezibalo zokubambezeleka phakathi kwezifunda ezahlukahlukene zamashaneli ahlukahlukene. Mhlawumbe othile uzoba nesithakazelo kuyo.

I-IPsec
I-Ali cn-beijing <β€”> GCP asia-northeast1 β€” 193ms
Ali cn-shenzhen <β€”> GCP asia-east2 β€” 91ms
Ali cn-shenzhen <β€”> GCP us-east4 β€” 200ms

Centres
U-Ali cn-beijing <β€”> Ali ap-northeast-1 β€” 54ms (!)
U-Ali cn-shenzhen <β€”> Ali cn-hongkong β€” 6ms (!)
U-Ali cn-shenzhen <β€”> Ali us-east1 β€” 216ms

Ulwazi olujwayelekile mayelana ne-inthanethi e-China

Njengesengezo ezinkingeni ze-Intanethi ezichazwe ekuqaleni, engxenyeni yokuqala ye-athikili.

  • I-inthanethi e-China ishesha kakhulu ngaphakathi.
    • Isiphetho senziwe ngokusekelwe ekuhloleni amanethiwekhi omphakathi e-Wi-Fi ezindaweni ezihlukahlukene lapho la manethiwekhi asetshenziswa inani elikhulu labantu.
    • Isivinini sokulanda nokulayisha kumaseva ngaphakathi kwe-China sasicishe sibe ngu-20 Mbit/s kanye no-5-10 Mbit/s, ngokulandelana.
    • Ijubane eliya kumaseva angaphandle kwe-China lincane kakhulu, lingaphansi kuka-1 Mbit/s.
  • I-inthanethi e-China ayizinzile kakhulu.
    • Kwesinye isikhathi amasayithi angavuleka ngokushesha, kwesinye isikhathi kancane (ngesikhathi esifanayo sosuku ngezinsuku ezahlukahlukene), inqobo nje uma ukucushwa kungashintshi. Lokhu sikubonile ngesibonelo se-semrushchina.cn. Lokhu kungashiwo ku-Ali CDN, nayo esebenza ngale ndlela nokuthi kuye ngokuthi isikhathi sosuku, isikhundla sezinkanyezi, njll.
  • I-inthanethi yeselula cishe yonke indawo i-4G noma i-4G+. Yibambe esitimeleni esingaphansi komhlaba, kumakheshi - ngamafuphi, yonke indawo.
  • Kuyinganekwane ukuthi abasebenzisi baseShayina bathembela kuphela izizinda ezikuzoni ye-.cn. Sifunde lokhu ngokuqondile kubasebenzisi.
    • Ungabona kanjani http://baidu.cn uqondise kabusha ku-www.baidu.com (ezweni laseChina futhi).
  • Izinsiza eziningi zivimbelwe ngempela. I-Primitive: google.com, Facebook, Twitter. Kodwa izinsiza eziningi ze-Google ziyasebenza (Yebo, hhayi kuyo yonke i-Wi-Fi ne-VPN ayisetshenziswa (ngasohlangothini lwe-router futhi, lokho kuqinisekile).
  • Izizinda eziningi β€œzobuchwepheshe” zezinkampani ezivinjiwe nazo ziyasebenza. Lokhu kusho ukuthi akufanele ngaso sonke isikhathi usike ngokunganaki yonke i-Google nezinye izinsiza ezibonakala zivinjiwe. Udinga ukubheka uhlu oluthile lwezizinda ezingavunyelwe.
  • Anama-opharetha e-inthanethi amathathu kuphela: i-China Unicom, i-China Telecom, i-China Mobile. Kukhona nezincane, kodwa isabelo sazo semakethe asisho lutho

Ibhonasi: umdwebo wokugcina wesixazululo

Sidabule kanjani i-Great Firewall yaseChina (Ingxenye 3)

Umphumela

Sekuphele unyaka kwaqalwa lo msebenzi. Siqale ngeqiniso lokuthi isayithi lethu ngokuvamile lenqaba ukusebenza ngokujwayelekile lisuka e-China, futhi ukumane i-GET curl kuthathe imizuzwana engu-5.5.

Bese, ngalezi zinkomba kusixazululo sokuqala (Cloudflare):

Isixazululo
Isikhathi sokuphumula
Median
Amaphesenti angama-75
Amaphesenti angama-95

I-Cloudflare
86.6
18s
30s
60s

Ekugcineni sifinyelele imiphumela elandelayo (izibalo zenyanga edlule):

Isixazululo
Isikhathi sokuphumula
Median
Amaphesenti angama-75
Amaphesenti angama-95

U-Ali CDN + CEN/IPsec + GLB
99.86
8.8s
9.5s
13.7s

Njengoba ubona, asikakwazi ukufeza isikhathi sokuphumula esingu-100%, kodwa sizoza nokuthile, bese sizokutshela ngemiphumela esihlokweni esisha :)

Inhlonipho kulabo abafunde zontathu izingxenye kuze kube sekugcineni. Ngethemba ukuthi ukuthole kuthakazelisa konke lokhu njengoba ngenzile ngesikhathi ngikwenza.

PS Izingxenye zangaphambili

Ingxenye ye-1
Ingxenye ye-2

Source: www.habr.com

Engeza amazwana