CDN,监控 #9
Description
When I was at Akamai about 5 years ago, I was involved in building the system for making their CDN compliant in China. There were two main features, and they were activated on all servers running inside mainland china (not HK, macau or Taiwan)
Logs of the CDN were sent in real time to the ministry of technology -- there was about a 15 minute delay if I remember correctly, and they could impose fines if they were delayed. The log included the url visited, the IP address of the visitor, and a few other things. Perhaps the user agent? I forget.
The ministry of technology had a special API to block URLs on the CDN. Basically, they provided a list of URLs that would return a 451, and of course those logs also went to the government.
No other country had this kind of access at the time, but it was considered critical for the business to continue to operate in China. As I understand it, these are required to comply with chinese government regulations, and other CDNs like Cloudflare and Cloudfront have also built similar capabilities. Perhaps jgrahamc can comment on what cloudflare did?
I feel quite guilty about being involved with that project, but the business was set on building it, so I did what I could to limit the blast radius. I would not be surprised if someone got arrested or was killed because of it.
大约五年前我在Akamai工作时,参与构建了使其CDN在中国合规的系统。该系统主要包含两项功能,并在所有运行于中国大陆(不包括香港、澳门和台湾)的服务器上启用。
-
CDN日志会实时发送给科技部——如果我没记错的话,大约有15分钟的延迟,如果延迟发送,科技部可能会处以罚款。日志包含访问的URL、访问者的IP地址以及其他一些信息。或许还有用户代理?我记不清了。
-
科技部有一个特殊的API可以屏蔽CDN上的URL。他们提供了一个URL列表,这些URL会返回451错误,当然,这些日志也会发送给政府。
当时其他国家/地区没有这种权限,但这对于公司在中国的持续运营至关重要。据我了解,这些功能是为了遵守中国政府的法规,其他CDN服务商,例如Cloudflare和Cloudfront,也构建了类似的功能。或许 jgrahamc 可以就 Cloudflare 的做法发表一下看法?
我参与那个项目让我感到非常内疚,但公司铁了心要建,所以我尽力限制了它的影响范围。如果有人因此被捕或丧命,我一点也不会感到惊讶。