CloudWatch 的降價

更早之前就公告了,但剛剛才翻到:「AWS Price Reduction – CloudWatch Metrics」。

CloudWatch 從 2011 年這次的降幅算比較大的,最低的降幅都有 40%,而超過一萬個 metrics 的部分則是 80%,然後不同級距有不同降幅,最高到 96% (也就是原來的 4% 價錢)...

Amazon EC2 的 CloudWatch 用了七個 metrics,所以如果有開 CloudWatch 進階版本的情況下,價錢從 $3.50 降到 $2.10:

If you have EC2 Detailed Monitoring enabled you will also see a price reduction with per-month charges reduced from $3.50 per instance per month to $2.10 or lower based on the volume tier.

在服務金額裡面的量通常不會太大,不過這次降價不無小補...

Posted in AWS, Cloud, Computer, Murmuring, Network | Tagged , , , , , , , , | Leave a comment

VPC 環境下的 EC2 支援 IPv6

AWS 總算是把 EC2 推上 IPv6 了:「New – IPv6 Support for EC2 Instances in Virtual Private Clouds」。

不過只有在 US East (Ohio) (us-east-2) 有,而且 m3.*g2.* 目前都還不支援:

IPv6 support for EC2 is now available in the US East (Ohio) Region and you can start using it today at no extra charge. It works with all current-generation EC2 instance types with the exception of M3 and G2, and will be supported on upcoming instance types as well.

看得到吃不到 XDDD

Posted in AWS, Cloud, Computer, Murmuring, Network | Tagged , , , , , , , , | Leave a comment

Amazon Pinpoint:對 Amazon Mobile 得到的資料設定條件發推播

這次 AWSAmazon Mobile 收到的資料定義條件發出推播:「Amazon Pinpoint – Hit your Targets with AWS」。

功能是陽春了一些 (其他競爭對手應該還可以發 mail 之類的),但以 AWS 的名字放出來,等於又殺了一票市場上還沒爬起來的競爭對手...

Posted in AWS, Cloud, Computer, Murmuring, Network | Tagged , , , , , , | Leave a comment

在 CloudFront 的 edge 上跑 Lambda

所以 Amazon CloudFront 讓使用者在 edge 上跑程式了 (雖然目前是 limited preview):「Lambda@Edge – Preview」。

分成 Viewer Request、Origin Request、Origin Response 以及 Viewer Response 四個階段可以插入修改。另外有些限制:

Because your JavaScript code will be part of the request/response path, it must be lean, mean, and self-contained. It cannot make calls to other web services and it cannot access other AWS resources. It must run within 128 MB of memory, and complete within 50 ms.

要在 128MB 內搞定,而且不能呼叫其他資源。不過這樣已經可以做很多事了... 基本上就是一台 turing machine 了 :o

Posted in AWS, CDN, Cloud, Computer, Murmuring, Network, Programming, WWW | Tagged , , , , , , , , , , | Leave a comment

Galera Cluster 不必要的 SST 行為的改善

Percona 的人解釋了 Galera Cluster 為什麼在某些情況下會需要 SST (整份重傳) 而不是 IST (傳最後造成差異的部分),以及開發商在 3.19 版對應的改進:「Galera Cache (gcache) is finally recoverable on restart」。

原因在於 IST 所需要的記錄會在重開機時消失,所以當其他節點加入時沒辦法給,只好給 SST:

The DONOR node caches missing write-sets in Galera cache, but on restart this cache is wiped clean and restarted fresh. So the DONOR node doesn’t have a Galera cache to donate missing write-sets.

gcache.recover 這個參數打開後就會啟用記錄,另外也可以挑著開就好:

The user can set this option for all nodes, or selective nodes, based on disk usage.

另外最重要的是,之後的版本才會有,所以得繼續等...:

And yes, Percona XtraDB Cluster inherits this feature in its upcoming release.

Posted in Computer, Database, Murmuring, MySQL, Software | Tagged , , , , , , , , , , , , , | Leave a comment

InnoDB 的 buffer pool preload 功能

Percona 的人討論了 InnoDB 提供的 buffer pool preload 功能:「Using the InnoDB Buffer Pool Pre-Load Feature in MySQL 5.7」。

就如同他所講的,因為硬體設備的進步 (主要是 SSD 的興起),而導致 preload 的需求已經沒以前重要了:

Frankly, time has reduced the need for this feature. Five years ago, we would typically store databases on spinning disks. These disks often took quite a long time to warm up with normal database workloads, which could lead to many hours of poor performance after a restart. With the rise of SSDs, warm up happens faster and reduces the penalty from not having data in the buffer pool.

由於 SSD 的 random read 很快,反而可以直接推上線讓他邊跑服務邊 warm up。不過相對的,傳統硬碟的 InnoDB database 還是可以規劃需求,畢竟 random read 還是痛點...

Posted in Computer, Database, Hardware, Murmuring, MySQL, Software | Tagged , , , , , , , , , , , , , | Leave a comment

微軟預定在 2017 年的西洋情人節淘汰 SHA-1 certificate

經過多次改動後,微軟這次宣佈 SHA-1 certificate 將在明年淘汰:「SHA-1 deprecation countdown」。

影響的範圍包括 Internet Explorer 11Microsoft Edge,在 2017 年 2 月 14 日之後不信任 SHA-1 certificate:

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning.

與其他家類似,還是提供了管道讓企業內部建立的 SHA-1 certificate 可以用:

This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

Posted in Browser, Computer, IE, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , , , , , | Leave a comment

Google 測試 CECPQ1 的一些資料...

七月的時候提到「Google Chrome 引入 CECPQ1,開始測試 Post-Quantum Cryptography」,剛剛看到 Adam Langley 寫了一些數據出來:「CECPQ1 results」。

目前看起來對於網路速度不快的使用者會影響比較大,最慢的 5% 使用者大約慢了 20ms,最慢的 1% 使用者會慢 150ms:

Although the median connection latency only increased by a millisecond, the latency for the slowest 5% increased by 20ms and, for the slowest 1%, by 150ms. Since NewHope is computationally inexpensive, we're assuming that this is caused entirely by the increased message sizes. Since connection latencies compound on the web (because subresource discovery is delayed), the data requirement of NewHope is moderately expensive for people on slower connections.

由於實驗算是完成了,加上 TLS 已經有規劃了,所以 Google Chrome 打算拔掉這個功能等標準出來:

At this point the experiment is concluded. We do not want to promote CECPQ1 as a de-facto standard and so a future Chrome update will disable CECPQ1 support. It's likely that TLS will want a post-quantum key-agreement in the future but a more multilateral approach is preferable for something intended to be more than an experiment.

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Software, WWW | Tagged , , , , , , , , , , , , , , | Leave a comment

利用上傳的檔案跳過 CSP 限制

CSP 可以做到一些簡單的保護機制,但在設計不良的情況下還是有辦法繞過。

這次是上傳合法的 JPEG 檔案,但當作 javascript 檔案繞過去:「Bypassing CSP using polyglot JPEGs」。

開頭的「FF D8 FF E0」可以在「List of file signatures」這邊看到是「JPEG raw or in the JFIF or Exif file format」,而這四個字元在 javascript 不會出問題。接下來的「2F 2A」表示 JPEG header 長度,剛好就是「/*」,把後面的東西給包起來,後面再用類似的方式一直組合就打穿了...

這種攻擊要跳過的是「用 CSP 的 self 限制不能引用外部網站 javascript」的限制,但還是有些前提:

  • 允許使用者傳到同一個 domain 上面。
  • 網站上有 XSS 漏洞。

其中第一個問題常見的解法是另外開一個 domain 來放使用者上傳的檔案 (最好是連 top domain 都不一樣,完全隔開),才可以透過 CSP 降低風險...

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , , , | Leave a comment

Amazon S3 的改善

其實老牌的 Amazon S3 也改了不少東西:「Revolutionizing S3 Storage Management with 4 new features」。

其中的「S3 Object Tagging」讓管理可以透過 tag 處理,管理上會多一些選擇。而「S3 Analytics, Storage Class Analysis」則是可以分析存取的 pattern,藉此重新規劃 policy。

看到之前的同事說 CloudFront 要支援 2-tier cache,但卻還沒看到公告,不知道是怎麼樣的實作方式... 這對大型的 live streaming 幫助很大啊,後面的壓力會小很多。

Posted in AWS, CDN, Cloud, Computer, Murmuring, Network | Tagged , , , , , , , , , , , , | Leave a comment