Abacwaningi abavela eNyuvesi yaseHamburg naseCologne
indlela entsha yokuhlasela kumanethiwekhi okulethwa kokuqukethwe kanye nama-proxies wenqolobane - (I-Cache-Poisoned Denial-of-Service). Ukuhlasela kuvumela ukufinyelela kwekhasi ukuthi kunqatshelwe nge-cache poisoning.
Inkinga ibangelwa ukuthi i-cache ye-CDN ayigcini nje ngokuqeda izicelo ngempumelelo, kodwa futhi nezimo lapho iseva ye-http ibuyisela iphutha. Njengomthetho, uma kunezinkinga ngokwenza izicelo, iseva ikhipha iphutha le-400 (Isicelo Esibi); okuhlukile kuphela i-IIS, ekhipha iphutha le-404 (Ayitholakali) kumaheda amakhulu kakhulu. Izinga livumela kuphela amaphutha anamakhodi 404 (Ayitholakali), 405 (Indlela Ayivunyelwe), 410 (Gone) kanye 501 (Ayisebenziswanga) ukuthi afakwe kunqolobane, kodwa amanye ama-CDN nawo agcina izimpendulo ngekhodi 400 (Isicelo Esibi), okuncike ngesicelo esithunyelwe.
Abahlaseli bangabangela insiza yoqobo ukuthi ibuyisele iphutha elithi “400 Bad Request” ngokuthumela isicelo esinezihloko ze-HTTP ezifomethwe ngendlela ethile. Lezi zihloko azinakwa yi-CDN, ngakho-ke ulwazi mayelana nokungakwazi ukufinyelela ikhasi luzogcinwa kunqolobane, futhi zonke ezinye izicelo ezivumelekile zabasebenzisi ngaphambi kokuphelelwa yisikhathi zingase zibangele iphutha, naphezu kweqiniso lokuthi isayithi lokuqala linikeza okuqukethwe. ngaphandle kwezinkinga.
Izinketho ezintathu zokuhlasela zihlongozwa ukuze kuphoqelelwe iseva ye-HTTP ukuthi ibuyise iphutha:
- I-HMO (Ukukhipha Indlela Ye-HTTP) - umhlaseli angakwazi ukweqa indlela yesicelo sokuqala ngokusebenzisa i-"X-HTTP-Method-Override", "X-HTTP-Method" noma izihloko ze-"X-Method-Override", ezisekelwa amanye amaseva, kodwa akunakwa ku-CDN. Isibonelo, ungashintsha indlela yokuqala "GET" ibe indlela "SUSA", engavunyelwe kuseva, noma indlela "THUMELA", engasebenzi kuma-statics;
- I-HHO (I-HTTP Header Oversize) - umhlaseli angakhetha usayizi kanhlokweni ukuze weqe umkhawulo weseva yomthombo, kodwa ungangeni phakathi kwemikhawulo ye-CDN. Isibonelo, i-Apache httpd ikhawulela usayizi wesihloko ku-8 KB, futhi i-Amazon Cloudfront CDN ivumela izihloko ezifika ku-20 KB;
- I-HMC (HTTP Meta Character) - umhlaseli angafaka izinhlamvu ezikhethekile esicelweni (\n, \r, \a), ezithathwa njengezingavumelekile kuseva yomthombo, kodwa azitshwa ku-CDN.
Okusengozini kakhulu yokuhlaselwa yi-CloudFront CDN esetshenziswa yi-Amazon Web Services (AWS). I-Amazon manje isiyilungisile inkinga ngokukhubaza ukugcinwa kwesikhashana kwephutha, kodwa kuthathe abacwaningi isikhathi esingaphezu kwezinyanga ezintathu ukwengeza ukuvikela. Udaba luphinde lwathinta i-Cloudflare, i-Varnish, i-Akamai, i-CDN77 kanye
Ngokushesha, kodwa ukuhlasela ngabo kunqunyelwe kumaseva aqondisayo asebenzisa i-IIS, ASP.NET, и . , ukuthi u-11% wezizinda zoMnyango Wezokuvikela wase-US, u-16% wama-URL asuka kusizindalwazi se-HTTP Archive futhi cishe u-30% wamasayithi amakhulu angu-500 akleliswe nge-Alexa angase abe ngaphansi kokuhlaselwa.
Njengendlela yokulungisa ukuvimba ukuhlasela ohlangothini lwesayithi, ungasebenzisa isihloko esithi “Cache-Control: no-store”, esivimbela ukugcinwa kwesikhashana kokuphendula. Kwamanye ama-CDN, isb.
I-CloudFront ne-Akamai, ungakhubaza ukulondoloza isikhashana kwephutha ezingeni lezilungiselelo zephrofayela. Ukuze uvikeleke, ungasebenzisa futhi izinqamuleli zohlelo lwewebhu (i-WAF, i-Web Application Firewall), kodwa kufanele zisetshenziswe ohlangothini lwe-CDN phambi kwabasingathi benqolobane.
Source: opennet.ru