🏗? 1. 整體架構設計
🔹 1.1 系統架構概覽
🔹 1.2 組件交互關系
?? 2. 核心模塊深度分析
📝 2.1 配置管理系統
? 配置加載流程
💾 關鍵配置數據結構
class server_configuration {
public:int concurrent; int backlog; bool fast_open; struct {bool lan; bool wan; } turbo;struct {int http; int http_ssl; } listen;struct {std::string host; std::string http; std::string http_ssl;} reverse_proxy;struct {int timeout; } connect;
};
🔍 配置驗證算法
if (reverse_host.size()) {std::size_t index = reverse_host.find('.');if (index == std::string::npos) {reverse_host.clear(); }
}
IPEndPoint ipep = Ipep::GetEndPoint(reverse_server, false);
if (!IPEndPoint::IsInvalid(ipep)) {
}
🖧 2.2 網絡IO核心(Hosting)
🧱 線程模型
🔄 IO上下文分配
std::shared_ptr<boost::asio::io_context> Hosting::GetContext() noexcept {MutexScope scope_(lockobj_);if (contexts_.empty()) return nullptr;auto context_ = contexts_.front();contexts_.pop_front();contexts_.push_back(context_);return context_;
}
?? 超時管理機制
bool Hosting::WaitTimeout() noexcept {timeout_->expires_from_now(boost::posix_time::milliseconds(10));timeout_->async_wait([this](const boost::system::error_code& ec) {if (!ec) {now_ += 10; WaitTimeout(); }});return true;
}
🔐 2.3 協議處理引擎
🔹 2.3.1 TLS流程圖
🔑 SNI提取關鍵代碼
std::string sniproxy::fetch_sniaddr(size_t tls_payload) noexcept {Byte* data = (Byte*)local_socket_buf_;if (*data++ != 0x01) return ""; int length = fetch_length(data);data += 2; data += 32; Byte session_len = *data++;data += session_len;int cipher_len = fetch_uint16(data);data += cipher_len;int extensions_len = fetch_uint16(data);Byte* extensions_end = data + extensions_len;while (data < extensions_end) {int ext_type = fetch_uint16(data);int ext_len = fetch_uint16(data);if (ext_type == 0x0000) { int name_list_len = fetch_uint16(data);int name_type = *data++;if (name_type != 0x00) continue; int name_len = fetch_uint16(data);return std::string((char*)data, name_len);}data += ext_len;}return "";
}
🔹 2.3.2 HTTP處理流程
🔑 Host頭提取示例代碼
std::string sniproxy::do_httpd_handshake_host(MemoryStream& messages_) {std::vector<std::string> headers;Tokenize(std::string((char*)messages_.GetBuffer().get()), headers, "\r\n");std::vector<std::string> request_line;Tokenize(headers[0], request_line, " ");if (request_line.size() < 3) return "";const std::string& uri = request_line[1];if (uri.find("://") != std::string::npos) {size_t pos = uri.find("://") + 3;size_t end = uri.find('/', pos);if (end == std::string::npos) return uri.substr(pos);elsereturn uri.substr(pos, end - pos);}for (size_t i = 1; i < headers.size(); i++) {if (headers[i].find("Host:") == 0) {return headers[i].substr(6); }}return "";
}
🧭 3. 路由決策引擎
🚦 路由示意表
條件 | 動作 | 目標端點 |
---|
主機匹配CDN域名且協議為HTTP | 轉發到CDN | reverse_proxy.http |
主機匹配CDN域名且協議為HTTPS | 轉發到CDN | reverse_proxy.http_ssl |
主機不匹配CDN域名 | 直連 | 解析的IP地址 |
無效主機名 | 拒絕連接 | - |
保留IP地址(環回/組播) | 拒絕連接 | - |
🔑 域名匹配算法
bool sniproxy::be_host(std::string host, std::string domain) noexcept {host = ToLower(RTrim(LTrim(host)));domain = ToLower(RTrim(LTrim(domain)));if (host == domain) return true;std::vector<std::string> labels;if (Tokenize(domain, labels, ".") < 2) return false;std::vector<std::string> host_labels;Tokenize(host, host_labels, ".");if (host_labels.size() <= labels.size()) return false;size_t diff = host_labels.size() - labels.size();for (size_t i = 0; i < labels.size(); i++) {if (host_labels[i + diff] != labels[i])return false;}return true;
}
🔑 端點選擇邏輯
IPEndPoint sniproxy::select_endpoint(const std::string& hostname, int port, bool is_https) noexcept
{if (be_host(hostname, configuration_->reverse_proxy.host)) {const std::string& cdn_node = is_https ? configuration_->reverse_proxy.http_ssl :configuration_->reverse_proxy.http;return Ipep::GetEndPoint(cdn_node, false);}boost::system::error_code ec;boost::asio::ip::address address = boost::asio::ip::address::from_string(hostname, ec);if (ec) {return Ipep::GetEndPoint(hostname, port, true);}return IPEndPoint(address.to_string().c_str(), port);
}
🔥 4. 性能優化體系
🚀 4.1 網絡棧優化
參數 | 選項 | 適用場景 | 示例代碼 |
---|
TCP_NODELAY | 開啟 | 高吞吐/低延遲 | socket->set_option(no_delay(true)) |
TCP_FASTOPEN | 開啟 | 連接快速建立 | setsockopt(IPPROTO_TCP, TCP_FASTOPEN, ...) |
IP_TOS | 0x68 | QoS優化 | setsockopt(SOL_IP, IP_TOS, 0x68) |
SO_REUSEADDR | 開啟 | 端口復用 | acceptor->set_option(reuse_address(true)) |
IP_DONTFRAG | 禁用 | 路徑MTU發現 | setsockopt(IPPROTO_IP, IP_DONTFRAG, 0) |
🛠? 4.2 內存管理優化
template<typename T>
std::shared_ptr<T> make_shared_alloc(int length) noexcept {if (length < 1) return nullptr;size_t aligned_size = (length * sizeof(T) + 15) & ~15;
#ifdef JEMALLOCT* p = (T*)je_malloc(aligned_size);
#elseT* p = (T*)malloc(aligned_size);
#endifreturn std::shared_ptr<T>(p, [](T* ptr) {if (ptr) {
#ifdef JEMALLOCje_free(ptr);
#elsefree(ptr);
#endif}});
}
🕸? 5. CDN轉發機制深度解析
🌍 CDN架構示意圖
🔑 節點選擇算法
class CDNSelector {
public:struct Node {IPEndPoint endpoint;int weight;int current_connections;std::chrono::steady_clock::time_point last_checked;bool healthy;};CDNSelector(const std::vector<IPEndPoint>& nodes) {for (const auto& ep : nodes) {available_nodes.push_back({ep, 10, 0, std::chrono::steady_clock::now(), true});}}IPEndPoint select_node() {auto now = std::chrono::steady_clock::now();for (auto& node : available_nodes) {if (now - node.last_checked > std::chrono::seconds(30)) {node.healthy = check_node_health(node.endpoint);node.last_checked = now;}}Node* selected = nullptr;int min_score = std::numeric_limits<int>::max();for (auto& node : available_nodes) {if (!node.healthy) continue;int score = node.current_connections * 100 / node.weight;if (score < min_score) {min_score = score;selected = &node;}}if (selected) {selected->current_connections++;return selected->endpoint;}throw std::runtime_error("No available CDN nodes");}
private:bool check_node_health(const IPEndPoint& ep) {return true;}std::vector<Node> available_nodes;
};
🔥 6. 安全機制深度分析
🛡? 威脅模型
- DDoS攻擊(SYN洪水、連接耗盡)
- 協議攻擊(畸形TLS/HTTP包)
- 信息泄露(內存暴露、錯誤信息)
- 中間人攻擊(TLS攔截)
- 資源耗盡(文件描述符、內存)
🛡? 防御措施
? 7. 擴展性與未來演進
🚀 可擴展架構
結論 🌟
SNIProxy通過架構創新和深度優化,實現了:
- 🚀 高性能:零拷貝、智能內存池
- 🔐 安全保障:分層防御、協議校驗、隱私保護
- ? 高可靠:智能路由、健康檢查
- 🌱 易擴展:模塊化、插件系統