Ithrafikhi esemthethweni kunethiwekhi ye-DDoS-Guard isanda kweqa amagigabhithi ayikhulu ngomzuzwana. Njengamanje, u-50% wayo yonke ithrafikhi yethu ikhiqizwa izinsiza zewebhu zamakhasimende. Lawa amashumi ezinkulungwane eziningi zezizinda, ezihluke kakhulu futhi ezimweni eziningi ezidinga indlela yomuntu ngamunye.
Ngezansi kokusikwa yindlela esiphatha ngayo izindawo ezingaphambili futhi sikhiphe izitifiketi ze-SSL ngamakhulu ezinkulungwane zamasayithi.
Ukusetha ingaphambili lesayithi elilodwa, ngisho nelikhulu kakhulu, kulula. Sithatha i-nginx noma i-haproxy noma i-lighttpd, siyilungiselele ngokuvumelana neziqondiso bese sikhohlwa ngayo. Uma sidinga ukushintsha okuthile, senza ukulayisha kabusha bese sikhohlwa futhi.
Konke kuyashintsha lapho ucubungula amanani amakhulu wethrafikhi endizeni, uhlola ukufaneleka kwezicelo, cindezela kanye nokuqukethwe kwenqolobane yomsebenzisi, futhi ngesikhathi esifanayo uguqule imingcele izikhathi eziningana ngomzuzwana. Umsebenzisi ufuna ukubona umphumela kuwo wonke ama-node angaphandle ngokushesha ngemva kokuba eguqule izilungiselelo ku-akhawunti yakhe yomuntu siqu. Umsebenzisi angadawuniloda izinkulungwane ezimbalwa (futhi kwesinye isikhathi amashumi ezinkulungwane) izizinda ngemingcele yokucubungula ithrafikhi ngayinye nge-API. Konke lokhu kufanele futhi kusebenze ngokushesha eMelika, naseYurophu, nase-Asia - umsebenzi awuyona into encane kakhulu, kucatshangelwa ukuthi eMoscow kuphela kunezindawo ezimbalwa zokuhlunga ezihlukene ngokomzimba.
Kungani kunama-node amaningi amakhulu athembekile emhlabeni jikelele?
-
Ikhwalithi yesevisi yethrafikhi yamakhasimende - izicelo ezivela e-USA zidinga ukucutshungulwa e-USA (okuhlanganisa nokuhlaselwa, ukuhlanjululwa nokunye okudidayo), futhi zingadonselwa eMoscow noma e-Europe, okwandisa ngokungalindelekile ukubambezeleka kokucubungula.
-
Ithrafikhi yokuhlasela kumele yenziwe yendawo - abaqhubi bezokuthutha bangehlisa izinga ngesikhathi sokuhlaselwa, ivolumu yakhona evamise ukudlula u-1Tbps. Ukuthutha ithrafikhi yokuhlasela ngezixhumanisi ze-transatlantic noma i-transasian akuwona umqondo omuhle. Saba nezimo zangempela lapho opharetha be-Tier-1 bethi: βUmthamo wokuhlasela okutholayo uyingozi kithi.β Yingakho samukela ukusakazwa okungenayo eduze nemithombo yakhona ngangokunokwenzeka.
-
Izidingo eziqinile zokuqhubeka kwesevisi - izikhungo zokuhlanza akufanele zincike kwesinye noma ezenzakalweni zasendaweni emhlabeni wethu oshintsha ngokushesha. Ingabe uye wanqamula amandla kuzo zonke izitezi ezingu-11 ze-MMTS-9 iviki? - ayikho inkinga. Alikho nelilodwa iklayenti elingenakho ukuxhumana ngokomzimba kule ndawo elizohlupheka, futhi izinsizakalo zewebhu ngeke zihlupheke ngaphansi kwanoma yiziphi izimo.
Ukuphatha kanjani konke lokhu?
Ukucushwa kwesevisi kufanele kusatshalaliswe kuwo wonke ama-node angaphambili ngokushesha okukhulu (okungcono ngaso leso sikhathi). Awukwazi ukuvele uthathe futhi wakhe kabusha ukucushwa kombhalo bese uqalisa kabusha ama-daemoni kulo lonke ushintsho - i-nginx efanayo igcina izinqubo zivaliwe (isisebenzi sivala shaqa) imizuzu embalwa eyengeziwe (noma mhlawumbe amahora uma kunezikhathi ezinde ze-websocket).
Lapho ulayisha kabusha ukucushwa kwe-nginx, isithombe esilandelayo sijwayelekile:
Ekusetshenzisweni kwememori:
Izisebenzi ezindala zidla inkumbulo, okuhlanganisa inkumbulo engancikile ngokwenani enanini lokuxhunywa - lokhu kuvamile. Uma uxhumo lweklayenti luvaliwe, le nkumbulo izokhululwa.
Kungani lokhu bekungeyona inkinga ngenkathi i-nginx isanda kuqala? Kwakungekho i-HTTP/2, kungekho WebSocket, akukho ukuxhumana okukhulu okuhlala kuphila isikhathi eside. U-70% wethrafikhi yethu yewebhu yi-HTTP/2, okusho ukuxhumana okude kakhulu.
Isixazululo silula - ungasebenzisi i-nginx, ungaphathi imingcele esekelwe kumafayela ombhalo, futhi ngokuqinisekile ungathumeli ukulungiselelwa kombhalo oziphiwe phezu kwamashaneli angenasici. Iziteshi, vele, ziqinisekisiwe futhi zigciniwe, kodwa lokho akuzenzi zibe ngaphansi kwezwekazi.
Sine-server-balancer yethu yangaphambili, abangaphakathi engizokhuluma ngabo ezihlokweni ezilandelayo. Into esemqoka engayenza ukusebenzisa izinkulungwane zezinguquko zokucushwa ngomzuzwana lapho indiza, ngaphandle kokuqala kabusha, ukulayisha kabusha, ukwanda okungazelelwe kokusetshenziswa kwenkumbulo, nakho konke lokho. Lokhu kufana kakhulu ne-Hot Code Reload, isibonelo ku-Erlang. Idatha igcinwa kusizindalwazi senani lokhiye osatshalaliswe yi-geo futhi ifundwa ngokushesha ama-actuator angaphambili. Labo. ulayisha isitifiketi se-SSL ngesixhumi esibonakalayo sewebhu noma i-API e-Moscow, futhi emizuzwaneni embalwa sesilungele ukuya esikhungweni sethu sokuhlanza e-Los Angeles. Uma impi yezwe yenzeka ngokuzumayo futhi i-Intanethi inyamalala emhlabeni wonke, ama-node ethu azoqhubeka nokusebenza ngokuzenzakalelayo futhi alungise ubuchopho obuhlukanisiwe ngokushesha nje kwesinye seziteshi ezizinikezele iLos Angeles-Amsterdam-Moscow, Moscow-Amsterdam-Hong Kong- I-Los-Los iyatholakala. Angeles noma okungenani imbondela eyodwa yesipele ye-GRE.
Lo mshini ofanayo usivumela ukuthi sikhiphe futhi sivuselele ngokushesha izitifiketi ze-Let Encrypt. Kalula nje isebenza kanje:
-
Ngokushesha lapho sibona okungenani isicelo esisodwa se-HTTPS sesizinda seklayenti lethu ngaphandle kwesitifiketi (noma esinesitifiketi esiphelelwe yisikhathi), indawo yangaphandle eyamukele isicelo ibika lokhu kwabasemagunyeni bangaphakathi bezitifiketi.
-
Uma umsebenzisi engakwenqabeli ukukhishwa kwe-Let's Encrypt, isiphathimandla esinikeza izitifiketi sikhiqiza i-CSR, ithola ithokheni yokuqinisekisa evela ku-LE futhi iyithumele kuzo zonke izingxenye zesiteshi esibethelwe. Manje noma iyiphi i-node ingaqinisekisa isicelo sokuqinisekisa esivela ku-LE.
-
Emizuzwaneni embalwa, sizothola isitifiketi esifanele kanye nokhiye oyimfihlo futhi sikuthumele ngaphambili ngendlela efanayo. Futhi, ngaphandle kokuqala kabusha amademoni
-
Ezinsukwini eziyi-7 ngaphambi kosuku lokuphelelwa yisikhathi, inqubo yokuphinda uthole isitifiketi iyaqalwa
Njengamanje sizungezisa izitifiketi ze-350k ngesikhathi sangempela, okukhanya ngokuphelele kubasebenzisi.
Ezihlokweni ezilandelayo zochungechunge, ngizokhuluma ngezinye izici zokucubungula ngesikhathi sangempela sethrafikhi yewebhu enkulu - isibonelo, mayelana nokuhlaziya i-RTT usebenzisa idatha engaphelele ukuze kuthuthukiswe ikhwalithi yesevisi yamakhasimende ezokuthutha futhi ngokuvamile mayelana nokuvikela ithrafikhi yezokuthutha kusuka ukuhlaselwa kwe-terabit, mayelana nokulethwa nokuhlanganiswa kolwazi lomgwaqo, mayelana ne-WAF, i-CDN cishe engenamkhawulo kanye nezindlela eziningi zokuthuthukisa ukulethwa kokuqukethwe.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Yini ongathanda ukuyazi kuqala?
-
14,3%Ama-algorithms okuhlanganisa nokuhlaziya ikhwalithi yethrafikhi yewebhu<3
-
33,3%Okungaphakathi kwamabhalansi e-DDoS-Guard7
-
9,5%Ukuvikelwa kwethrafikhi ye-L3/L4
-
0,0%Ukuvikela amawebhusayithi kuthrafikhi yezokuthutha0
-
14,3%I-Firewall Yohlelo Lwewebhu3
-
28,6%Ukuvikelwa ekuhlukaniseni nasekuchofozeni6
Bangu-21 abasebenzisi abavotile. Abasebenzisi abangama-6 bagobile.
Source: www.habr.com