IE 與 Edge 推出更新,阻擋 SHA-1 憑證

微軟這幾天推出更新,IEEdge 將不會接受 SHA-1 憑證:「Microsoft Makes it Official, Cuts off SHA-1 Support in IE, Edge」。微軟的公告則是在「Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11」這邊。

根憑證不受影響 (所以企業自己產生的 Root CA 也不受影響):

Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates.

Amazon CloudFront 又增加東京機房了...

CloudFront 又增加東京的點了,這是第四個點:「Amazon CloudFront adds new Edge Locations in Tokyo, Japan and Dallas/Fort Worth, Texas」。

This is our fourth edge location in the Tokyo area and our third in Dallas, bringing the total number of CloudFront locations to 87 (including 76 points of presence and 11 regional edge cache locations).

不愧是亞洲的交換中心...

CloudFront 在慕尼黑加到第五個機房...

德國是歐洲區重要的交換中心,不過量大到可以讓 CloudFront 加到第五個點就頗意外的:「Announcing New Munich Edge Location for Amazon CloudFront, our 7th Edge Location in Germany」。

慕尼黑的第五個點,全德國第七個點:

The Munich location is our third location in Germany (joining Frankfurt and Berlin), and our 7th edge location in Germany bringing the total number of worldwide edge locations to 69.

CloudFront 的 Regional Edge Caches

Amazon CloudFront 前陣子宣佈了 two-tier 架構:「Announcing Regional Edge Caches for Amazon CloudFront」。

一般的 CDN 是 edge 收到後就打到 origin,這會使得 origin 的量比較大。而 two-tier 架構則是在中間疊一層降低對 origin 的量。這種架構對於直播時的 pattern 幫助很大:由於量很大,會需要用大量的 edge server 支撐,而 edge server 一多就對 origin 產生巨大的壓力。

一般直播 95% 的 hitrate 表示外面 20Gbps 的流量就會造成 origin 1Gbps 的流量,通常用 two-tier 可以拉到 98%+ (CDN vendor 有調整過可以到 99%+)。

這種技術在 Akamai 叫 Tiered Distribution,在 EdgeCast 叫 SuperPoP,而現在 CloudFront 也推出了,叫做 Regional Edge Cache:

The nine new Regional Edge Cache locations are in Northern Virginia, Oregon, São Paulo, Frankfurt, Singapore, Seoul, Tokyo, Mumbai, and Sydney.

edge 會先到這幾個 regional edge 再到 origin:

These locations sit between your origin webserver and the 68 global edge locations that serve traffic directly to your viewers.

然後預設都開啟了,沒有額外費用:

Regional Edge Caches are turned on by default for your CloudFront distributions; you do not need to make any changes to your distributions to take advantage of this feature. There are also no additional charges to use this feature.

不過這個架構對於 latency 應該不會太好,沒得關閉有點奇怪...

在 CloudFront 的 edge 上跑 Lambda

所以 Amazon CloudFront 讓使用者在 edge 上跑程式了 (雖然目前是 limited preview):「Lambda@Edge – Preview」。

分成 Viewer Request、Origin Request、Origin Response 以及 Viewer Response 四個階段可以插入修改。另外有些限制:

Because your JavaScript code will be part of the request/response path, it must be lean, mean, and self-contained. It cannot make calls to other web services and it cannot access other AWS resources. It must run within 128 MB of memory, and complete within 50 ms.

要在 128MB 內搞定,而且不能呼叫其他資源。不過這樣已經可以做很多事了... 基本上就是一台 turing machine 了 :o

微軟預定在 2017 年的西洋情人節淘汰 SHA-1 certificate

經過多次改動後,微軟這次宣佈 SHA-1 certificate 將在明年淘汰:「SHA-1 deprecation countdown」。

影響的範圍包括 Internet Explorer 11Microsoft Edge,在 2017 年 2 月 14 日之後不信任 SHA-1 certificate:

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning.

與其他家類似,還是提供了管道讓企業內部建立的 SHA-1 certificate 可以用:

This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

Dropbox 在全球建機房加速...

Dropbox 為了加速傳輸,在全球到處建機房降低 latency:「Infrastructure Update: Pushing the edges of our global performance」。

就他們測試發現,透過 proxy server 降低 latency 的效果很不錯:

We’ve tested and applied this configuration in various markets in Europe and Asia. In France, for example, median download speeds are 40% faster after introducing proxy servers, while median upload speeds are approximately 90% faster. In Japan, median download speeds have doubled, while median upload speeds are three times as fast.

亞洲區是效能增加最多的...

CloudFront 持續擴建:香港

Amazon CloudFront 在香港又增加機房了,這樣就是香港的第三個機房... 畢竟還是亞洲區頻寬成本相較起來比較低的地方 (也是很多東南亞國家會交換的地區),有對應的需求就可以擴充:「Announcing Third Edge Location in Hong Kong for Amazon CloudFront」。

不過話說回來,台灣 PoP 其實主要還是卡中華的頻寬,像這樣三個圖可以理解為那個瞬間 HiNet 與 CloudFront 之間的頻寬滿了 (分別是從 HiNet、TFNFET 去 ping AWS 官網自己用的 d36cz9buwru1tt.cloudfront.net,取自 smokeping.kkbox.com.tw 這邊):

不過還是有時候可以看到全部導走,是 capacity 突然滿掉嗎?這就有點奇怪了...

Dropbox 的 Document Detecting

Dropbox 發表了他們所研究的 Document Detecting 技術:「Fast and Accurate Document Detection for Scanning」。

他們希望抓出這張圖裡面「文件」的「邊緣」:

Canny edge detector 會跑出這樣,很明顯多了很多不太正確的邊線,對於後續判斷上會困難不少:

剛好也是最近看到的另外一篇文章「Image Kernels Explained Visually」在講 Image Kernel,有些地方有點類似的東西,交叉看頗有感覺的...

Anyway,Dropbox 最後的成果很不錯啊,可以看示範:

Amazon S3 推出加速功能

Amazon S3 推出了新的加速功能,並且向更多地區提供 AWS Import/Export Snowball 服務:「AWS Storage Update – Amazon S3 Transfer Acceleration + Larger Snowballs in More Regions」。

其中的 Amazon S3 Transfer Acceleration 只要把本來的 BUCKET_NAME.s3.amazonaws.com 或是帶有地區的 BUCKET_NAME.s3-region.amazonaws.com 變成 BUCKET_NAME.s3-accelerate.amazonaws.com 就可以了,他會透過 CloudFront 的節點做 proxy,並且透過 AWS 內部最佳化過的網路傳輸。

由於這是定位為 Amazon S3 的服務,而實際測試後也確認不會有 cache:他的目的在於降低 latency 而加速,而不是 cache 加速,所以大量 GET 相同內容的部份應該還是用 CloudFront 會比較好。

再來是費用的部份增加相當多,第一筆要收的是 CloudFront 的費用,再來才是計算 Transfer Acceleration 的費用:

Transfer Acceleration pricing is in addition to Data Transfer pricing.

從 Internet 進 CloudFront 再進 Amazon S3 的要收 USD$0.04/GB (透過在美國、歐洲或是日本的 CloudFront 節點) 或 USD$0.08/GB (透過其他 CloudFront 節點)。

另外要收的是從 Amazon S3 一路傳到 Internet 的部份,USD$0.04/GB。如果是傳到其他 AWS region 的話,也是 USD$0.04/GB。

不過他有效能保證條款 (雖然掌控全不在自己),AWS 會持續監控有沒有比較快,如果沒有的話系統會 bypass 回原來的 Amazon S3:

Each time you use Transfer Acceleration to upload an object, we will check whether Transfer Acceleration is likely to be faster than a regular Amazon S3 transfer. If we determine that Transfer Acceleration is not likely to be faster than a regular Amazon S3 transfer of the same object to the same destination AWS region, we will not charge for that use of Transfer Acceleration for that transfer, and may bypass the Transfer Acceleration system for that upload.

我本來以為會是在 DNS 層 bypass 回本來的 region,結果發現是 307 redirect 重導回 Amazon S3 上,效能上應該還是會差一些...

可以看出這個架構的特性主要還是用在上傳的部份,而且用在網路不穩定的環境下很重要 (像是電信網路上的行動裝置),因為 latency 的減少會對於 packet loss 造成的 retry 有很大的幫助。

下載的部份應該會比本來 Amazon S3 快 (因為 Amazon 本身會加速),但由於沒有 cache,除非有特殊需求,不然建議不要這樣規劃。

另外一個是 AWS Import/Export Snowball 推出的新硬體,以及新區域。

新硬體是 80TB 的版本,本來只有 50TB 的版本:

The original Snowball appliances had a capacity of 50 terabytes. Today we are launching a newer appliance with 80 terabytes of capacity.

而新區域包括了 AWS GovCloud (US)、US West (Northern California)、Europe (Ireland) 以及 Asia Pacific (Sydney) 這三區:

Today we are making Snowball available in four new Regions: AWS GovCloud (US), US West (Northern California), Europe (Ireland), and Asia Pacific (Sydney). We expect to make Snowball available in the remaining AWS Regions in the coming year.

其中 80TB 版本只在這三區生效,其他區可以選擇 50TB 或是 80TB 版本:

If you are transferring data in or out of the US East (Northern Virginia), US West (Oregon), US West (Northern California), or AWS GovCloud (US) Regions using Snowball you can choose the desired capacity. If you are transferring data in or out of the Europe (Ireland) or Asia Pacific (Sydney) Regions, you will use the 80 terabyte appliance.

日本還是沒進場...