The legitimate traffic on the DDoS-Guard network has recently exceeded one hundred gigabits per second. Now 50% of all our traffic is generated by customer web services. These are many tens of thousands of domains, very different and in most cases requiring an individual approach.
Under the cut - how we manage front nodes and issue SSL certificates for hundreds of thousands of sites.
Setting up a front for one site, even a very large one, is easy. We take nginx or haproxy or lighttpd, configure according to the guides and forget. If you need to change something - do reload and forget again.
, , , , . , . API ( ) . , , โ , , .
?
โ ( , ), , .
โ , 1bps. โ . , Tier-1 : ยซ , , ยป. .
โ , . 11 -9? โ . , , - .
?
( ) -. โ nginx (worker shutting down) ( websocket-).
nginx :
:
, , , โ . , .
, nginx ? HTTP/2, WebSocket, keep-alive . 70% - โ HTTP/2, .
โ nginx, , . , , , .
--, . , โ , , , . Hot Code Reload, Erlang. key-value . .. SSL- - API , -. , , split-brain, ---, ----- GRE.
Let's Encrypt. :
HTTPS- ( ), , , .
Let's Encrypt, CSR, LE . LE.
.
7
350 .
- โ , RTT , , WAF, CDN .