GH GambleHub

SSL terminasiýasy we deňagramlylygy

Gysgaça gysgaça

SSL/TLS-terminasiýa programmalardan kripto ýüküni aýyrýar we L7-marşrutlaşdyrma, WAF, rate-limit, mTLS, kanareýanyň çykarylmagyna ýol açýar. Esasy çözgütler: TLS-i nirede tamamlamaly (edge/ingress/mesh içinde), nädip deňleşdirmeli (L4 vs L7), haýsy şifr profillerini ulanmaly, şahadatnamalary aşaklatmazdan nädip täzelemeli we SLO-da gizlinligi we ýalňyşlyklary nädip saklamaly.

TLS nirede tamamlanmaly

Gyrada (CDN/Anycast/WAF): ulanyja iň az gizlinlik, global gorag, kesh/bot gözegçiligi. Indiki - re-encrypt.
Ingress L7-de (Nginx/Envoy/HAProxy/ALB): URI/sözbaşylar boýunça inçe marşrut, mTLS, JWT-tassyklama.
Geçiş TLS (passthrough L4): pod/service çenli end-to-end mTLS gerek bolanda (mysal üçin, berk laýyk zona).
Service Mesh (Envoy/Istio/Linkerd): klasteriň, syýasatyň we telemetriýanyň içinde awtomatlaşdyrylan mTLS.

Tejribe: köplenç - edge terminate → re-encrypt to ingress; PII/tölegler üçin - mTLS hyzmatdan öň.

L4 vs L7 deňagramlylygy

L4 (TCP/UDP): iň az gijikdirme, ýönekeý saglyk barlaglary (port/TSR), passthrough TLS. L7-fich ýetmezçiliginde TLS-de gRPC üçin amatly.
L7 (HTTP/HTTPS/HTTP3): hostda/ýollarda/sözbaşylarda/cookies, WAF, rate-limits, kanareýa relizleri, sticky-sessiýalar, retrailer/wagtlar.

TLS: wersiýalary, açarlary, şifrleri

Wersiýalary: TLS 1. 3 hemme ýerde, TLS 1. 2 fallback hökmünde. 1-i öçüriň. 0/1. 1.
Açarlar/açarlar: ECDSA (P-256) - RSA-dan has çalt; köne üçin goşa stek (ECDSA + RSA) bolup biler.
ALPN: `h2` и `http/1. 1`; HTTP/3 üçin - 'h3' (QUIC/UDP).
OCSP Stapling: goşmak; Jemgyýetçilik domenlerinde HSTS.
Açar howuzlary: KMS/HSM-de saklamak; awtomatiki uzaltmak (ASME/ynam agajy).
0-RTT (TLS 1. 3): nokady (GET/idempotent) goşmak, replay töwekgelçiligini göz öňünde tutmak.

Esasy şifr profili (TLS 1. 2): `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305`

TLS öndürijiligi

Resumption: session tickets/IDs - handshake-bahasyny peseldýärler.
ECDSA + ChaCha20 jübi telefonlarynda/AES-NI-siz kömek edýär.
OCSP Stapling + gysga zynjyrlar p95 azaldýar.
HTTP/2/3: multiplekslemek, az birikmeler → p95 aşakda.
Offload: crypto astynda CPU ýadro pin, reuseport, tune socket-buferleri açmak.

Howpsuzlyk

mTLS: administratorlar/operatorlaryň API-leri üçin client-cert talap ediň; Yzyna almak üçin CRL/OCSP.
SNI/ECH: SNI - standart; ECH (Encr. ClientHello) domeni gizleýär (eger edge-üpjün ediji tarapyndan goldanylsa).
Strict Transport Security (HSTS): başda seresaplylyk bilen prod-domenler.
Hop-lar arasynda TLS: hyzmatdan öň re-encrypt, hatda DC-iň içinde (Zero-Trust).
Rate-limit/greý-öküzler: L7-de api botlardan/brutforsdan goraýarlar.

Synlamak we SLO

SLO (mysallar)

p95 TLS-handshake ≤ 80-120 ms (global), p95 TTFB ≤ 200-300 ms.
TLS ýalňyşlyklary (handshake/peer-verify) ≤ 0. 1%.
Rezýumpşenleriň paýy gaýtalanýan saparlar üçin 70% ≥.

Metrikler

`handshake_time`, `tls_version`, `alpn`, `cert_expiry_days`, `ocsp_staple_status`.
L7: `p50/p95/p99`, `5xx`, `429`, `upstream_rq_time`, `retry_budget`.
Capacity: active connectes, CPS (connections per second), RPS.

Adaty gaplar

Nginx (L7 terminate + HTTP/2 + OCSP stapling)

nginx server {
listen 443 ssl http2 reuseport;
server_name api.example.com;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:...:ECDHE-RSA-CHACHA20-POLY1305';
ssl_ecdh_curve X25519:P-256;
ssl_certificate   /etc/ssl/cert.pem;    # полная цепочка ssl_certificate_key /etc/ssl/key.pem;
ssl_stapling on; ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass https://upstream_pool;
}
}

upstream upstream_pool {
zone backends 64k;
server 10.0.1.10:8443 max_fails=3 fail_timeout=10s;
server 10.0.1.11:8443 max_fails=3 fail_timeout=10s;
keepalive 256;
}

HAProxy (L7 terminate + stickiness + mTLS)

haproxy frontend fe_https bind:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 mode http http-response set-header Strict-Transport-Security max-age=31536000 default_backend be_api

backend be_api mode http balance roundrobin cookie SRV insert indirect nocache option httpchk GET /healthz server s1 10.0.1.10:8443 check ssl verify required ca-file /etc/haproxy/ca.pem server s2 10.0.1.11:8443 check ssl verify required ca-file /etc/haproxy/ca.pem

Envoý (L7 terminate + mTLS müşderiden + kanareýka)

yaml static_resources:
listeners:
- name: https address: { socket_address: { address: 0.0.0.0, port_value: 443 } }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress route_config:
virtual_hosts:
- name: api domains: ["api.example.com"]
routes:
- match: { prefix: "/" }
route:
weighted_clusters:
clusters:
- name: api-stable weight: 95
- name: api-canary weight: 5 http_filters:
- name: envoy.filters.http.router transport_socket:
name: envoy.transport_sockets.tls typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/tls/cert.pem" }
private_key:   { filename: "/etc/tls/key.pem" }
validation_context:       # mTLS (опционально)
trusted_ca: { filename: "/etc/tls/ca.pem" }
require_client_certificate: true

AWS ALB/NLB (düşünje)

ALB (L7 terminate): HTTPS listener 443 (TLS 1. 2/1. 3), target group HTTPs:8443, health-check `/healthz`, stickiness (cookie).
NLB (L4 passthrough): TLS listener 443, TCP health-checks, geçiş SNI pod.
CloudFront/Cloudflare: TLS edge + WAF + Bot-dolandyryş; origin — HTTPS only.

Sertifikatlary taşlamazdan täzelemek

ACME (Let's Encrypt/Private CA) awtomatiki täzelenme we gyzgyn täzeden açmak bilen (Nginx 'reload', Envoy SDS).
Göçmekde goşa şahadatnamalar (ECDSA + RSA).
Zynjyrlara gözegçilik etmek: aralyk CA-lary barlamak; OCSP aýlanylandan soň stapling.
Alertler: 'cert _ expiry _ days <21' we 'ocsp _ status! = good'.

Saglyk-barlag we ugrukdyryş

L4: TCP connect, TLS handshake.
L7: HTTP 200/JSON-marker wersiýasy, gRPC health.
Syýasatlar: sticky üçin failover, weighted, latency, consistent-hash (cookie/IP).
Retrauslar/wagtlar: durnuklylyk bilen haýyşlaryň dublikatlarynyň arasyndaky deňagramlylyk (idempotentlik!).

Kubernetes-patternleri

Ingress Controller (Nginx/Envoy/HAProxy): ingress terminasiýasy, DNS ýazgylary üçin 'ExternalDNS', ACME üçin 'cert-manager'.
Gateway API: kanareýkler bilen deklaratiw TLSRoute/HTTPRoute.
Service Mesh: awtomatiki mTLS pod, 'PeerAuthentication '/' DestinationRule' derejesindäki syýasatlar.

Howpsuzlyk barlagy

  • TLS 1. 3 goşuldy; 1. 0/1. 1 öçürildi.
  • Häzirki zaman şifrleri; ECDSA-sertlar, goldawyň rugsat berýän ýerinde.
  • OCSP stapling, doly zynjyrlar, HSTS.
  • Administrator/interkonnektler üçin mTLS; Müşderi şahadatnamalarynyň gaýtalanmagy.
  • Gyrada Rate-limit/bot süzgüçleri; slowloris/oversized headers.
  • Re-encrypt to backends (Zero-Trust).
  • KMS/HSM-de syrlar/açarlar; ekstradisiýanyň aýlanmagy we auditi.

Syn ediliş we aladalar

Метрики: TLS handshakes/sec, failure rate, session resumption rate, OCSP, p95/99, open conns, CPS, RPS.
Logy: SNI/ALPN/TLS wersiýasy, cipher, müşderi şahadatnamasy (mTLS üçin), upstream-kodlar, latency breakdown.
Alertler: '5xx/525', güýz resumption, 'cert _ expiry _ days', 'ocsp _ failed', p95-den ýokary, '429'.

Adaty ýalňyşlyklar

Goragsyz gapdalynda terminasiýa we içerde HTTP plain.
Aşa uzyn CA zynjyrlary → p95 handshake.
OCSP stapling → müşderilerde/brauzerlerde gulplama ýok.
Sticky-sessiýalary hasaba almazdan failover → Degrade düwününe "ýapyşmak".
0-RTT haýyşlar üçin goşuldy → gaýtadan tabşyrmak töwekgelçiligi.
Aýlanylanda sekuntlyk damjalar → hot-reload sertleriniň ýoklugy.

iGaming/fintech üçin aýratynlyklar

Piki (ýaryşlar/oýunlar): TLS-sessiýalary gyzdyrmak (pre-connect), gysga zynjyrlar, ýokary resumption paýy, frontlar üçin HTTP/2/3.
Töleg şlýuzlary/PSP: mTLS, berk ciphers/wersiýalary, pinned CA, berk düzgünleri bolan aýry-aýry domenler/ALB.
Antifrod/bot-süzgüçler: IP/ASN/device-fingerprint boýunça L7-rate-limit, aýry-aýry domende kanareýa greý-öküzleri (challenge/kapça).
Düzgünleşdiriji: HSTS, TLS-parametrleriň auditlenen magazinesurnallary, wersiýalar boýunça hasabatlar, hadysalar boýunça müşderi şahadatnamalarynyň yzyna alynmagy.

Kiçi pleýbuklar

L7-deňagramlaşdyryjy arkaly kanar çykyşy

1. Agramy 5% bolan 'api-canary' klasterini goşuň; 2) p95/ýalňyşlyklary yzarlaň; 3) 5→25→50→100%; 4) zaýalananda awtomatiki öwrülişik.

Şahadatnamany gyssagly aýlamak

1. Täze cert/key göçürip alyň; 2) 'reload' konnektleriň ýykylmazdan (SDS/gyzgyn çalyşma); 3) OCSP barlagy; 4) daşbord p95 handshake.

HTTP/3 goşmak

1. Açyň UDP/443; 2) ALPN 'h3' goşuň; 3) aýry-aýry QUIC loss/RTT metrikleri; 4) Müşderileriň paýy boýunça A/B.

Jemi

Netijeli SSL terminasiýasy häzirki zaman TLS profili, dogry gutarýan ýeri, akylly L7 marşrutlaşdyrmasy, gözegçilik edilişi we berk howpsuzlygy (mTLS, HSTS, re-encrypt). IaC-de hemme zady düzüň, rotasiýalary awtomatlaşdyryň, p95/ýalňyşlyklary ölçäň we kanareýkalary ulanyň - şonuň üçin front iň ýokary derejelerden halas bolar we çalt we howpsuz bolar.

Contact

Biziň bilen habarlaşyň

Islendik sorag ýa-da goldaw boýunça bize ýazyp bilersiňiz.Biz hemişe kömek etmäge taýýar.

Integrasiýany başlamak

Email — hökmany. Telegram ýa-da WhatsApp — islege görä.

Adyňyz obýýektiw däl / islege görä
Email obýýektiw däl / islege görä
Tema obýýektiw däl / islege görä
Habar obýýektiw däl / islege görä
Telegram obýýektiw däl / islege görä
@
Eger Telegram görkezen bolsaňyz — Email-den daşary şol ýerden hem jogap bereris.
WhatsApp obýýektiw däl / islege görä
Format: ýurduň kody we belgi (meselem, +993XXXXXXXX).

Düwmäni basmak bilen siz maglumatlaryňyzyň işlenmegine razylyk berýärsiňiz.