Google CDN 進入 Beta

最近 CDN 產業裡有不少蕭期,其中一個新聞是 Google CDN 進入 beta,Google 藉由在全球佈署的機房來服務。

不過雖然進入了 Beta,但仍然有很嚴重的技術限制,只能透過 GCE 當 origin server,這使得實用性低很多:

Origins
Delivers HTTP/HTTPS content originating from Compute Engine VM instances. External origin servers are not supported.

有些特點是跟一般 CDN 不同的,一個是 Google 對 HTTPS 的口號,所以 HTTP 與 HTTPS 的價錢相同。其實你就當做他把 HTTP 的費用收的跟 HTTPS 一樣就好:

SSL Shouldn't Cost Extra
The web is moving to HTTPS, and your cacheable content should, too. With Cloud CDN, you can secure your content using SSL/TLS for no additional charge.

另外一個特點是從技術上就宣稱完全使用 Anycast,而不是見到的 DNS + Anycast:

Anycast
Serve all your content from a single IP address with low latency worldwide.

另外,計價的方式與其他的 CDN 有不少地方不一樣,另外也有針對中國地區另外處理。

首先是他把 Cache Egress (從 CDN 給使用者) 與 Cache Fill (從 CDN 到 Origin 取得資源) 分開收,一的般 CDN 都只收 Cache Egress 這塊。

再來是中國大陸地區的價錢另外標示,有特地標明不是從中國大陸地區直接提供服務:

Traffic destined for mainland China is served from Google locations outside of mainland China. Performance and reliability may be lower than for traffic served from in-country locations.

言下之意就是另外買 optimized 的頻寬來服務,但還是不會像在中國大陸地區有機房的效果這麼好,不過好處是不需要 ICP 之類的證照。

不過不得不說價錢其實還蠻便宜的,無論是歐美還是亞洲區。

Let's Encrypt 宣佈脫離 Beta

Let's Encrypt 宣佈脫離 beta,正式開放:「Leaving Beta, New Sponsors」。

翻資料的時候發現在今年 3/26 的時候,限制已經放寬了:「Rate Limits for Let’s Encrypt」。

首先一張證書只能包括 100 個 hostname,跟原來相同:

Names/Certificate is the limit on how many domain names you can include in a single certificate. This is currently limited to 100 names, or websites, per certificate issued.

再來是每個禮拜可以申請的數量從 5 個 hostname 變成 20 個,另外本來 renew 也算 quota,現在變成不會吃到 quota:

Certificates/Domain limits how many certificates can be issued that contain a single registered domain*.
This is limited to 20 certificates per domain per week. Exception: When you request a certificate with the same exact set of FQDNs as previously-issued certificate, this rate limit does not apply, but the one below does.

不知道會不會再放寬限制...

Docker 在 Mac 與 Windows 上使用 xhyve 與 Hyper-V

DockerMac OS XWindows 上開始支援其他的 VM Host 了:「Docker for Mac and Windows Beta: the simplest way to use Docker on your laptop」。

之前在 Mac OS X 與 Windows 上必須使用 VirtualBox 跑一個 Linux Host 起來,而現在可以用 xhyveHyper-V,另外剛剛發現 Linux 的部份也換到 Alpine Linux 上了 (不知道是不是這次才換的):

Faster and more reliable: no more VirtualBox! The Docker engine is running in an Alpine Linux distribution on top of an xhyve Virtual Machine on Mac OS X or on a Hyper-V VM on Windows, and that VM is managed by the Docker application. You don’t need docker-machine to run Docker for Mac and Windows.

Slack 開始測試語音通話功能

Slack 開始測語音通話功能了:「Making voice calls in Slack」,目前是 beta:

Keep in mind: Calls (beta) is currently voice only and desktop only. Video, screen sharing, and mobile support will come in the future.

包括了 one-to-one (開放給所有的 plan),以及 group (開放給付費 plan)。

在 troubleshooting 的說明裡有提到技術問題,也可以看出一些東西:

If Slack is having trouble establishing a call connection, check the following settings, or ask your IT admin to do so:

  • Set your network to allow outbound UDP connections to port 22466.
  • Make sure your network is allowing incoming traffic from UDP 22466.

功能愈來愈齊了...

Let's Encrypt 進入 Public Beta 開放給大眾使用

Let's Encrypt 進入 Public Beta,這代表不再需要提出申請才能用了:「Entering Public Beta」。

We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt.

話說翻資料的時候翻到 Namecheap 對 Let's Encrypt 作出反擊,只能說吃樣很難看:「SSL from Namecheap - What's the difference: Encryption, Validation & Trust」。

人們選擇 Namecheap 的 SSL certificate 不是因為他好,而是因為他便宜,加上這家公司不像 GoDaddy 那樣邪惡。

現在有免費的 SSL certificate 出來競爭 (於是根本打不贏) 就放 FUD 攻擊,吃相極為難看。有人針對 Namecheap 的文章駁斥了裡面大量錯誤的論點:「Comment on Namecheap's SSL」。

接下來應該可以弄不少來玩,來整理文章把申請與自動 renew 的步驟做出來...

Let's Encrypt 預定於 2015 年 12 月 3 日進入 Public Beta

Let's Encrypt 宣佈 2015/12/03 進入 Public Beta,也就是不需要額外填寫表格申請就可以使用:「Public Beta: December 3, 2015」。

從 2015/09/19 開始到現在已經發出 11K 個 SSL certificate 了:

Our Limited Beta started on September 12, 2015. We’ve issued over 11,000 certificates since then, and this operational experience has given us confidence that our systems are ready for an open Public Beta.

我猜應該還是在 cross sign 取得主流瀏覽器支援後才大量增加的...

把家裡的機器換上 Let's Encrypt 的 SSL certificate

依照「Beta Program Announcements」這邊的指示去填單申請 Let's Encrypt 的 SSL certificate (先幫 home.gslin.org 申請),等了好幾天,在剛剛收到信就弄了弄,還蠻順利就設好了。

可以看到 Let's Encrypt Authority X1DST Root CA X3 簽名的情況,而後者已經被大多數瀏覽器所確認了:

首先是先把 letsencrypt client 拉下來:

$ git clone https://github.com/letsencrypt/letsencrypt

接著執行認證:

$ cd letsencrypt
$ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly

執行時會先建立環境 (由於需要寫到 /etc/letsencrypt 裡面,會需要 root 或 sudo 權限)。

接下來會跳出一些畫面讓你設定,包括 hostname 以及聯絡資訊,再來就是認證的方式 (我是跳出使用 apache 或是 standalone web server),由於我的 port 443 已經被 apache 吃掉,所以需要用 apache。

最後認證成功會出現:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/home.gslin.org/fullchain.pem. Your cert will
   expire on 2016-02-02. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

有效期限 90 days,雖然裡面是講 fullchain.pem,但其實每個檔案都有拆開放,看一下 /etc/letsencrypt/live/home.gslin.org/ 路徑裡的檔案,設定對應的 cert/chain/key 應該還是比較習慣的作法。

官方目前的建議是 60 days 重新 renew 一次,也許可以設成 cron,每兩個月自動更新一次 (並且 reload apache)。

Let's Encrypt 的 Limited Beta

Let's Encrypt 在拿到 IdenTrust 提供的 cross sign (參考「Let's Encrypt 正式出發」) 後所啟動的計畫:「Beta Program Announcements」。

要先透過 Google Forms 填單等待,等通過後要指定 production server 才會發出來。

要注意的是,Let's Encrypt 發出來的 SSL certificate 會比較短,只有 90 天有效,設計上是依靠自動機制在更新,所以理論上不會有問題:

Certificates from Let's Encrypt are valid for 90 days. We recommend renewing them every 60 days to provide a nice margin of error. As a beta participant, you should be prepared to manually renew your certificates at that time. As we get closer to General Availability, we hope to have automatic renewal tested and working on more platforms, but for now, please play it safe and keep track.

再來是有註冊限制,分成 Registrations/IP address 與 Certificates/Domain 兩個限制:

There are two rate limits in play: Registrations/IP address, and Certificates/Domain.

前者的限制是每天 10 次:

Registrations/IP address limits the number of registrations you can make in a given day; currently 10. This means you should avoid deleting the /etc/letsencrypt/accounts folder, or you may not be able to re-register.

後者的限制是每個 domain 只給 4 個 certificate:

Certificates/Domain you could run into through repeated re-issuance. This limit measures certificates issued for a given combination of Top Level Domain + Domain. This means if you issue certificates for the following domains, at the end you would have what we consider 4 certificates for the domain example.com.

拿來測試應該是夠用。