Sawubona Habr, igama lami ngingu-Ilya, ngisebenza eqenjini lepulatifomu e-Exness. Sithuthukisa futhi sisebenzise izingxenye zengqalasizinda ezibalulekile ezisetshenziswa amaqembu ethu okuthuthukisa umkhiqizo.
Kulesi sihloko, ngithanda ukwabelana ngolwazi lwami lokuqalisa ubuchwepheshe obubethelwe be-SNI (ESNI) kungqalasizinda yamawebhusayithi omphakathi.
Ukusetshenziswa kwalobu buchwepheshe kuzokhuphula izinga lokuphepha lapho usebenza nesizindalwazi somphakathi futhi kuthobelane nezindinganiso zokuphepha zangaphakathi ezitholwe yiNkampani.
Okokuqala, ngithanda ukuveza ukuthi ubuchwepheshe abulingani futhi zisalungiswa, kodwa i-CloudFlare ne-Mozilla sebevele bayayisekela (in ). Lokhu kusishukumisele ekuhloleni okunjalo.
A little ofory
ESNI iyisandiso sephrothokholi ye-TLS 1.3 evumela ukubethela kwe-SNI kumlayezo wokuxhawula izandla we-TLS othi "Sawubona Iklayenti". Nakhu ukuthi i-Client Hello ibukeka kanjani ngokusekelwa kwe-ESNI (esikhundleni se-SNI evamile sibona i-ESNI):
Ukuze usebenzise i-ESNI, udinga izingxenye ezintathu:
- I-DNS;
- Ukwesekwa kwamaklayenti;
- Ukusekelwa kohlangothi lweseva.
DNS
Udinga ukwengeza amarekhodi amabili e-DNS - Afuthi I-TXT (Irekhodi le-TXT liqukethe ukhiye osesidlangalaleni iklayenti elingabhala ngawo i-SNI) - bona ngezansi. Ngaphezu kwalokho, kufanele kube nokusekela DoH (I-DNS nge-HTTPS) ngoba amaklayenti atholakalayo (bona ngezansi) awakuniki amandla usekelo lwe-ESNI ngaphandle kwe-DoH. Lokhu kunengqondo, njengoba i-ESNI isho ukubethelwa kwegama lensiza esiyitholayo, okungukuthi, akunangqondo ukufinyelela i-DNS nge-UDP. Ngaphezu kwalokho, ukusetshenziswa ikuvumela ukuthi uvikele ekuhlaselweni kwe-cache poisoning kulesi simo.
Okwamanje iyatholakala , phakathi kwazo:
I-CloudFlare (Hlola Isiphequluli Sami β I-SNI Ebethelwe β Funda Kabanzi) ukuthi amaseva abo asevele esekela i-ESNI, okungukuthi, kumaseva e-CloudFlare ku-DNS okungenani sinamarekhodi amabili - A kanye ne-TXT. Esibonelweni esingezansi sibuza i-Google DNS (ngaphezu kwe-HTTPS):
Π ukungena:
curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "www.cloudflare.com.",
"type": 1
}
],
"Answer": [
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.210.9"
},
{
"name": "www.cloudflare.com.",
"type": 1,
"TTL": 257,
"data": "104.17.209.9"
}
]
}
I-TXT irekhodi, isicelo senziwa ngokwethempulethi _esni.FQDN:
curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT'
-s -H 'accept: application/dns+json'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16
}
],
"Answer": [
{
"name": "_esni.www.cloudflare.com.",
"type": 16,
"TTL": 1799,
"data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
}
],
"Comment": "Response from 2400:cb00:2049:1::a29f:209."
}Ngakho-ke, ngokombono we-DNS, kufanele sisebenzise i-DoH (okungcono kakhulu nge-DNSSEC) futhi sengeze okufakiwe okubili.
Ukwesekwa kwamakhasimende
Uma sikhuluma ngeziphequluli, khona-ke okwamanje . Nansi imiyalelo yokuthi ungaluvula kanjani usekelo lwe-ESNI ne-DoH ku-Firefox. Ngemva kokuba isiphequluli simisiwe, kufanele sibone into efana nalena:
ukuhlola isiphequluli.
Yebo, i-TLS 1.3 kufanele isetshenziselwe ukusekela i-ESNI, njengoba i-ESNI iyisandiso ku-TLS 1.3.
Ngenhloso yokuhlola i-backend ngosekelo lwe-ESNI, sisebenzise iklayenti ku- go, Kodwa okwengeziwe ngalokho kamuva.
Ukusekelwa kohlangothi lweseva
Okwamanje, i-ESNI ayisekelwe amaseva ewebhu afana ne-nginx/apache, njll., njengoba esebenza ne-TLS nge-OpenSSL/BoringSSL, engasekeli ngokusemthethweni i-ESNI.
Ngakho-ke, sinqume ukudala ingxenye yethu engaphambili (i-ESNI reverse proxy), ezosekela ukunqanyulwa kwe-TLS 1.3 nge-ESNI kanye nethrafikhi ye-HTTP(S) yommeleli ukuya enhla nomfula, engasekeli i-ESNI. Lokhu kuvumela ubuchwepheshe ukuthi busetshenziswe kungqalasizinda ekhona kakade, ngaphandle kokushintsha izingxenye eziyinhloko - okungukuthi, ukusebenzisa amaseva ewebhu amanje angasekeli i-ESNI.
Ukuze kucace, nawu umdwebo:
Ngiyaqaphela ukuthi ummeleli waklanywa enekhono lokunqamula uxhumano lwe-TLS ngaphandle kwe-ESNI, ukusekela amakhasimende ngaphandle kwe-ESNI. Futhi, iphrothokholi yokuxhumana ekhuphuka nomfula ingaba i-HTTP noma i-HTTPS enenguqulo ye-TLS engaphansi kuka-1.3 (uma umfula okhuphukayo ungasekeli u-1.3). Lolu hlelo lunikeza ukuguquguquka okukhulu.
Ukuqaliswa kokusekelwa kwe-ESNI kuvuliwe go saboleka kuyo . Ngingathanda ukuqaphela zisuka nje ukuthi ukuqaliswa ngokwakho akuwona neze into encane, njengoba kuhilela izinguquko emtatsheni wezincwadi ojwayelekile. crypto/tls ngakho-ke kudinga "ukuchibiyela" IGOROOT ngaphambi komhlangano.
Ukukhiqiza okhiye be-ESNI sisebenzise (futhi ingqondo ye-CloudFlare). Laba khiye basetshenziselwa ukubethela/ukususa ukubethela kwe-SNI.
Sihlole isakhiwo sisebenzisa i-go 1.13 ku-Linux (Debian, Alpine) ne-MacOS.
Amagama ambalwa mayelana nezici zokusebenza
Ummeleli ohlanekezelwe we-ESNI uhlinzeka ngamamethrikhi ngefomethi ye-Prometheus, njenge-rps, ukubambezeleka okuphezulu namakhodi okuphendula, ukuxhawula izandla okuhlulekile/okuyimpumelelo kwe-TLS kanye nobude besikhathi sokuxhawula kwe-TLS. Uma uthi nhlΓ‘, lokhu kubonakale kwanele ukuhlola ukuthi ummeleli uyiphatha kanjani ithrafikhi.
Senze nokuhlola umthamo ngaphambi kokusetshenziswa. Imiphumela engezansi:
wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.77s 1.21s 7.20s 65.43%
Req/Sec 13.78 8.84 140.00 83.70%
206357 requests in 6.00m, 6.08GB read
Requests/sec: 573.07
Transfer/sec: 17.28MB Senze ukuhlolwa komthwalo osezingeni eliphezulu ukuze siqhathanise isikimu sisebenzisa ummeleli ohlanekezelwe we-ESNI nangaphandle. "Sithulule" ithrafikhi endaweni ukuze sisuse "ukuphazamiseka" ezingxenyeni eziphakathi nendawo.
Ngakho-ke, ngokusekelwa kwe-ESNI kanye nokwenza ummeleli ukuya phezulu usuka ku-HTTP, sithole cishe ama-rps angu-~550 kusukela esimweni esisodwa, ngokusetshenziswa okumaphakathi kwe-CPU/RAM kommeleli ohlanekezelwe we-ESNI:
- 80% Ukusetshenziswa kwe-CPU (4 vCPU, 4 GB RAM, i-Linux)
- 130 MB Mem RSS
Ukuze uqhathanise, i-RPS ye-nginx efanayo ekhuphukayo ngaphandle kwe-TLS (iphrothokholi ye-HTTP) ukunqanyulwa ngu-~ 1100:
wrk -t50 -c1000 -d360s 'http://lb.npw:80' β-timeout 15s
Running 6m test @ http://lb.npw:80
50 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.11s 2.30s 15.00s 90.94%
Req/Sec 23.25 13.55 282.00 79.25%
393093 requests in 6.00m, 11.35GB read
Socket errors: connect 0, read 0, write 0, timeout 9555
Non-2xx or 3xx responses: 8111
Requests/sec: 1091.62
Transfer/sec: 32.27MB Ukuba khona kokuphelelwa yisikhathi kubonisa ukuthi kunokuntuleka kwezinsiza (sisebenzise ama-4 vCPU, ama-RAM angu-4 GB, i-Linux), futhi empeleni i-RPS engaba khona iphakeme (sithole izibalo ezifika ku-2700 RPS kuzinsiza ezinamandla kakhulu).
Sengiphetha, ngiyaphawula ukuthi ubuchwepheshe be-ESNI bubukeka buthembisa impela. Kusenemibuzo eminingi evulekile, isibonelo, izindaba zokugcina ukhiye we-ESNI womphakathi ku-DNS kanye nokhiye ojikelezayo we-ESNI - lezi zindaba zixoxwa ngenkuthalo, futhi inguqulo yakamuva yokusalungiswa kwe-ESNI (ngesikhathi sokubhala) isivele .
Source: www.habr.com