ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS

1.

ϒϩάαʔϏεͷ  HTTPSԽΛࢧ͑ͨ  AWSͰ࡞ΔϐλΰϥεΠον id:aereal

2.

staﬀ.hatenablog.com/entry/2018/06/13/160000 ಠࣗυϝΠϯͰӡ༻͞Ε͍ͯΔϒϩά͕ɺ HTTPSͰ഑৴Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠

3.

None

4.

࿩͢͜ͱ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ • എܠͱཁٻ • ࣮૷ͷ঺հ • ্هࣄྫΛݩʹෳࡶͳόον =
ϐλΰϥεΠονߏஙͷ  ΤοηϯεΛߟ͑ͯΈΔ

5.

ࣗݾ঺հ • id:aereal • GitHub: aereal • Twitter: aereal •
ϒϩά౷߹νʔϜ  ΞϓϦέʔγϣϯΤϯδχΞ  ςοΫϦʔυ

6.

എܠ ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ

7.

• ͸ͯͳϒϩάPro (༗ྉϓϥϯ) ʹਃ͠ࠐΉͱ  ಠࣗυϝΠϯͰࣗ෼ͷϒϩάΛ഑৴Ͱ͖Δ • ݱࡏɺສ୯ҐͷಠࣗυϝΠϯ͕ొ࿥ɾར༻͞Ε͍ͯΔ • ͜ΕΒͷಠࣗυϝΠϯͰ΋ৗ࣌HTTPS഑৴͍ͨ͠

8.

Let's Encrypt • ISRG = Internet Security Research Group͕ఏڙ͢Δ  ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ
(CA) • ͜Ε·ͰTLSূ໌ॻΛൃߦ͢Δʹ͸  ͦͦ͜͜ͷֹۚͱख͕ؒඞཁ͕ͩͬͨɺͦΕΛม͑ͨCA • LEͷొ৔ʹΑΓTLSূ໌ॻͷେྔൃߦ͕ݱ࣮తʹͳͬͨ

9.

developer.hatenastaﬀ.com/entry/2018/06/04/140000 ͸ͯͳϒϩάͷHTTPSԽ࣮ࢪʹ൐͍, Let's Encrypt΁ͷد෇Λ࣮ࢪ͠·ͨ͠  - Hatena Developer Blog

10.

• LEͷొ৔͸࿕ใ͕ͩ͜Ε͚ͩͰ͸଍Γͳ͍ • ສ୯ҐͷTLSূ໌ॻΛ؅ཧ͢Δઓज़ɾઓུ͕͚͍ܽͯΔ • ഑৴ͱൃߦʹେ͖͘෼͚ͯΈΔ

11.

ཁ݅ͷݕ౼: ഑৴ ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ

12.

HTTPS഑৴: ͓͞Β͍ • ͸ͯͳϒϩάͰ͸ສ୯ҐͷಠࣗυϝΠϯ͕ར༻͞Ε͍ͯΔ • ҰൠతͳWebαΠτӡ༻ͷײ֮ͩͱφʔόε͗͢Δ • ສ୯Ґͷূ໌ॻΛҰ౓ʹಡΈࠐΉͱ  proxyͷϝϞϦ࢖༻ྔ͕ஶ͘͠૿Ճ͢Δ •
proxyͷ࠶ىಈʹ΋͕͔͔࣌ؒΔ

13.

SAN? • = Subject Alternative Names  1ͭͷূ໌ॻʹෳ਺υϝΠϯΛඥ෇͚Δ֦ு • ݁࿦͔Βݴ͏ͱ͸ͯͳϒϩάͷέʔεͰ͸೉͍͠ •
LEͰSANΛར༻͢Δ৔߹ɺACME challenge͸dns-01ͷΈ ར༻Ͱ͖Δ (ݱࡏ) • DNSઃఆ͸֤ϢʔβʔʹҕͶΒΕΔͷͰࣗಈԽͰ͖ͳ͍

14.

ACME? • ACME: Automated Certiﬁcate Management Environment • ূ໌ॻൃߦͳͲͷ࡞ۀΛ  ࣗಈԽ͢ΔϓϩτίϧΛ·ͱΊͨ࢓༷
• ACME challenge: υϝΠϯͷॴ༗ݖݶΛ֬ೝ͢Δํ๏ • Google AnalyticsͷΞϨΈ͍ͨͳ΍ͭ • LE͕ࡦఆɾ࠾༻͍ͯ͠Δ

15.

ACME challenge? • dns-01: υϝΠϯͷTXTϨίʔυʹϫϯλΠϜτʔΫϯΛॻ ͖ࠐΉ • http-01: CAͷϦΫΤετʹର͠ॴఆͷϨεϙϯεΛฦ͢ •
ྫ: /.well-known/TOKEN • (ଞʹ΋͍Ζ͍Ζ)

16.

HTTPS഑৴: ͓͞Β͍ (࠶) • ͸ͯͳϒϩάͰ͸ສ୯ҐͷಠࣗυϝΠϯ͕ར༻͞Ε͍ͯΔ • ҰൠతͳWebαΠτӡ༻ͷײ֮ͩͱφʔόε͗͢Δ • ສ୯Ґͷূ໌ॻΛҰ౓ʹಡΈࠐΉͱ  proxyͷϝϞϦ࢖༻ྔ͕ஶ͘͠૿Ճ͢Δ
• proxyͷ࠶ىಈʹ΋͕͔͔࣌ؒΔ

17.

HTTPS഑৴: ํ਑ • ϦΫΤετຖʹ౎౓ূ໌ॻΛબ୒ɾಡΈࠐΉ • ϝϞϦ࢖༻ྔͷ૿Ճ΍࠶ىಈ࣌ؒͷѱԽΛ཈͑Δ • ෳ਺୆proxyʹରԠ͢ΔͨΊσʔλετΞʹূ໌ॻΛอଘ • ͔͠΋ϨΠςϯγΛѱԽͤͣ͞ʹ࣮ݱ͢Δ
• ϩʔΧϧΩϟογϡ

18.

ཁ݅ͷݕ౼:ൃߦ ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ

19.

ূ໌ॻൃߦ • Ұ؏ੑɾ໢ཏੑ͕ٻΊΒΕΔ • ൃߦʹࣦഊ͠ଓ͚Δͱϒϩά͕ӾཡͰ͖ͳ͘ͳΔ • ແޮͳυϝΠϯΛ์ஔͯ͠΋͍͚ͳ͍ • ཁٻ͸ߴ͍͕ෆ࣮֬ੑ͸ߴ͍ •
ূ໌ॻΛߋ৽͢ΔࡍɺυϝΠϯ਺ʹର͠εέʔϧ͢Δ͜ͱ

20.

ແޮͳυϝΠϯͷ࡟আ • ແޮͳυϝΠϯ = ඞͣACME challengeʹࣦഊ͢Δ • LEʹ͸ΞΧ΢ϯτ * time
window͝ͱʹࣦഊͷ্ݶ͕͋Δ • ์ஔ͢ΔͱඞͣAPI limitʹ͋ͨͬͯ͠·͏ • ࣦഊͨ͠υϝΠϯ͸ඞͣ࡟আ

21.

ূ໌ॻൃߦ: ෆ࣮֬ੑ • υϝΠϯͷ༗ޮੑ͸มΘΓ͏Δ • ՝ۚऴྃ • DNSϨίʔυҟৗ • ֎෦API
= LEͱͷ౷߹ • API Limit • ద੾ͳϦτϥΠͱΤϥʔϦΧόϦ͕ඞਢ

22.

ূ໌ॻൃߦ: εέʔϥϏϦςΟ • ର৅υϝΠϯ਺ͷ૿Ճʹର͠εέʔϧ͢Δ࢓૊Έʹ͍ͨ͠ • SELECT * FROM custom_domain WHERE
id > ?  Έ͍ͨͳΫΤϦ͸ආ͚͍ͨ • υϝΠϯ਺͕૿͑Δͱϖʔδϯά͕ඞཁ • ࣮ߦ్தͰࣦഊͨ͠ΒɺϦτϥΠΩϡʔʹೖΕ௚͢Α͏ ͳ޻෉ΛڽΒ͞ͳ͍ͱ͍͚ͳ͘ͳΔ

23.

γεςϜͷཁ݅: ·ͱΊ • ϦΫΤετຖʹূ໌ॻΛऔಘɾ࢖༻ • Ͱ͖Δ͚ͩ௿ϨΠςϯγͰ • Τϥʔ଱ੑ͕ߴ͍ • ࣦഊͨ͠Βऔಘର৅ͷυϝΠϯ͔Β֎͢
• ֎෦API௨৴ͷΤϥʔΛద੾ʹॲཧͰ͖Δ • υϝΠϯ਺ͷ૿Ճʹεέʔϧ͢Δ

24.

γεςϜͷ঺հ ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ

25.

cert-dispatcher cert-cache-gw cert-store cert-cache User Blog HTTP ssl_handshake_handler HTTP Get/Set
Get ഑৴

26.

഑৴γεςϜ • ngx_mruby: ূ໌ॻಡΈࠐΈ࣌ʹmrubyͷίʔυΛ࣮ߦ • cache gateway΁HTTP GET͢Δ͚ͩ • https://github.com/matsumotory/ngx_mruby
• cache gateway (Go): HTTP GET͢Δͱূ໌ॻΛฦ͢ • DynamoDB: ূ໌ॻΛอଘ͢ΔσʔλετΞ

27.

cache gateway • AWS (DynamoDB) APIݺͼग़͠ΛHTTP APIʹม͑Δ • mrubyʹ͸AWS SDK͕ͳ͍
• ಉډ͢Δmemcachedʹ΋ಡΈॻ͖͠ɺ  DynamoDB΁ͷΞΫηεΛͰ͖Δ͚ͩݮΒ͢

28.

Get ഑৴

29.

Get ഑৴

30.

Get ഑৴

31.

Get ഑৴

32.

Get ഑৴

33.

഑৴γεςϜ • ngx_mrubyΛ࢖ͬͯϦΫΤετຖʹূ໌ॻΛऔಘͰ͖ͨ • proxyʹಉډͨ͠memcachedΛ࢖͏͜ͱͰ  DynamoDB΁ͷϦΫΤετΛݮΒ͠ϨΠςϯγΛԼ͛ͨ

34.

cert-updater-state cert-updater-function cert-update-notiﬁer Let's Encrypt cert-store cert-lifecycle-store Blog HTTP HTTP
࣮ߦ ࣮ߦ UpdateItem UpdateItem ূ໌ॻൃߦ ࣮ߦ ূ໌ॻൃߦ

35.

ূ໌ॻൃߦγεςϜ • cert-updater-state: AWS StepFunctions; ֤LambdaΛىಈ • Τϥʔ಺༰ʹԠͨ͡ϦΧόϦɾϦτϥΠ (ޙड़) •
cert-updater-function: AWS Lambda; ূ໌ॻΛൃߦɺ DynamoDB΁ॻ͖ࠐΈ • cert-update-notiﬁer: Lambda; ੒൱Λ͸ͯͳϒϩά΁௨஌

36.

None

37.

None

38.


39.


40.


41.


42.


43.


44.

AWS SFn: ϦτϥΠ "Retry": [ { "ErrorEquals": ["ErrMaybeRecoverable"], "IntervalSeconds": 1,
"MaxAttempts": 3, "BackoffRate": 2.0 } ], "Catch": [ { "ErrorEquals": ["States.TaskFailed"], "Next": "Notify result to Hatena-Epic" } ],

45.


46.


47.


48.

ূ໌ॻൃߦγεςϜ • AWS StepFunctionsΛ࢖ͬͯద੾ͳΤϥʔॲཧΛ࣮ݱ • Ϧιʔε্ݶʹୡ͢ΔͳͲ  ҟৗऴྃͨ࣌͠͸ଈ࠲ʹ݁ՌΛ௨஌ • APIݺͼग़ࣦ͠ഊͳͲϦτϥΠՄೳͳ࣌͸ϦτϥΠ

49.

cert-reissue-state cert-reissue-conﬁrmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ
࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ  (ߋ৽)

50.

ূ໌ॻൃߦ: ߋ৽ • DynamoDBͷTTL Trigger͕Lambdaܦ༝ͰSFnΛىಈ • cert-reissue-conﬁrmer: ͸ͯͳϒϩάʹυϝΠϯ༗ޮੑΛ໰ ͍߹Θͤͯɺߋ৽͢Δඞཁ͕͋Δ͔Λޙଓʹ఻͑Δ •
cert-cleanup-function: ແޮͳυϝΠϯΛDynamoDB͔Βফ ͢

51.

cert-lifecycle-store  (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

52.

Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

53.


54.

cert-lifecycle-store  (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

55.

cert-lifecycle-store  (DynamoDB)

56.

publish SELECT * FROM ... ࣮ߦ

57.

Τϥʔॲཧ͕؆ܿʹ • όονॲཧͩͱ: औಘͨ͠ෳ਺ͷυϝΠϯΛϧʔϓͰॲཧ • = ॲཧ୯Ґ͕ෳ਺υϝΠϯʹͳΔ • Ұ෦ͷυϝΠϯ͕ࣦഊͨ࣌͠ɺόονॲཧશମͷ  εςʔλε͸Ͳ͏͢Δ?
੒ޭ? ࣦഊ? • pub/subͩͱ: Ҿ਺ͱͯ͠౉ͬͨυϝΠϯ1ͭΛॲཧ͢Δ • = ॲཧ୯Ґ͕υϝΠϯ1ͭʹͳΔ

58.


59.


60.


61.


62.


63.


64.


65.


66.

cert-reissue-state "Determine next state": { "Comment": "࣍ͷঢ়ଶΛܾఆ͠·͢", "Type": "Choice", "Choices":
[ { "Variable": "$.UpdateRequired", "BooleanEquals": true, "Next": "Call reissue of certificate" }, { "Variable": "$.UpdateRequired", "BooleanEquals": false, "Next": "Clean up of certificate" } ] },

67.


68.


69.

ূ໌ॻߋ৽γεςϜ • σʔλϑϩʔΛpub/subͰγϯϓϧʹ • ॳճൃߦ΋ߋ৽࣌΋DynamoDBͷI/O͚͕ͩൃੜ͢Δ • DynamoDB TTL TriggerΛ׆༻ •
ঢ়ଶ = σʔλΛதԝʹू໿

70.

࠶ܝ: ഑৴γεςϜ • ngx_mrubyΛ࢖ͬͯϦΫΤετຖʹূ໌ॻΛऔಘͰ͖ͨ • proxyʹಉډͨ͠memcachedΛ࢖͏͜ͱͰ  DynamoDB΁ͷϦΫΤετΛݮΒ͠ϨΠςϯγΛԼ͛ͨ

71.

࠶ܝ: ূ໌ॻൃߦγεςϜ • AWS StepFunctionsΛ࢖ͬͯద੾ͳΤϥʔॲཧΛͰ͖ͨ • Ϧιʔε্ݶʹୡ͢ΔͳͲ  ҟৗऴྃͨ࣌͠͸ଈ࠲ʹ݁ՌΛ௨஌ • APIݺͼग़ࣦ͠ഊͳͲϦτϥΠՄೳͳ࣌͸ϦτϥΠ

72.

ߟ࡯ ϐλΰϥεΠονͷ࡞Γํ

73.

ڊେͳόονͷ೉͠͞ • ࣮ߦεςοϓશ༰Λ೺Ѳ͢Δ͜ͱͷ೉͠͞ • શମͰεςοϓ͕͜Ε͚ͩ͋Δ • Ͳ͜ͷεςοϓͰࣦഊͨ͠ͷ͔ • ॲཧ୯Ґ͕େ͖͘ͳΓ͕ͪ •
ඞવͱ࣮ߦ࣌ؒ΋௕Ҿ͖͕ͪ • Ұ෦͚ࣦͩഊͨ࣌͠ɺ࣮ߦͷঢ়ଶ͸੒ޭ? ࣦഊ?

74.

΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏ ͷϐλΰϥεΠον • ϫʔΫϑϩʔΤϯδϯͷಋೖ • ࣮ߦεςοϓશ༰Λ೺Ѳ͠΍͘͢ • ͦΕͱߴ౓ʹ౷߹͞Εͨόον࣮ߦ؀ڥ͕͋Δͱͳ͓Α͍ • pub/subϞσϧͰର৅σʔλͷ૿Ճʹର͠εέʔϧͤ͞Δ
• ॲཧ͢Δσʔλ୯ҐΛෳ਺ˠ1ͭ΁ • ͍ͭͰʹσʔλετΞ΁ঢ়ଶ͕ڽू͞ΕΔ

75.

෼ׂ౷࣏ • খ͞ͳؔ਺΍ΫϥεΛ࡞ΓɺͦΕΒΛ૊Έ߹ΘͤΔ͜ͱΛ ීஈ͔Βҙࣝͯ͠΍͍ͬͯΔ͸ͣ • ʹ΋ؔΘΒͣόον͕ڊେʹͳΓ͕ͪͳͷ͸ͳͥͳͷ͔? • ύϑΥʔϚϯε • ߹੒Մೳ
(composable) Ͱ͸ͳ͍

76.

෼ׂ౷࣏ • খ͞ͳؔ਺΍ΫϥεΛ࡞ΓɺͦΕΒΛ૊Έ߹ΘͤΔ͜ͱΛ ීஈ͔Βҙࣝͯ͠΍͍ͬͯΔ͸ͣ • ʹ΋ؔΘΒͣόον͕ڊେʹͳΓ͕ͪͳͷ͸ͳͥͳͷ͔? • ύϑΥʔϚϯε • ߹੒Մೳ
(composable) Ͱ͸ͳ͍

77.

߹੒ՄೳΛࢧ͑Δٕज़ • 2ͭͷεςοϓͷ௚ྻ࣮ߦΛೋ߲ԋࢉͱΈͳͯ͠ΈΔ • operand: ੹೚ൣғ͕খ͍͜͞ͱ • operator: ༷ʑͳ๏ଇΛຬͨ͢͜ͱ •
݁߹ଇɺ෼഑ଇ

78.

ہॴঢ়ଶΛ࣋ͨͳ͍ • ঢ়ଶ = มߋՄೳͳσʔλ • άϩʔόϧʹͨͩ1ͭͷঢ়ଶΛ࣋ͭ͜ͱ͕େࣄ • Ճ͑ͯঢ়ଶΛมߋ͢Δཁૉ͕୯ҰͰ͋Δ͜ͱ

79.

άϩʔόϧม਺? • άϩʔόϧม਺͸ѱͱ͍͏ߟ͑ํͱ൓͠ͳ͍͔?  → ͠ͳ͍ • ঢ়ଶΛมߋ͢Δཁૉ͕୯ҰͳΒɺ  ֤࣮ߦεςοϓ͸ঢ়ଶΛड͚औͬͯ৽ͨͳσʔλΛฦ͢  ؔ਺ͱΈͳͤΔ

80.

// ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ { "domain": "www.example.com", "endpoint": "https://...." } // ͋Δόονͷೖྗ
{ "domain": "www.example.com" }

81.

// ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ { "domain": "www.example.com", "endpoint": "https://...." } // ͋Δόονͷೖྗ
{ "domain": "www.example.com" } άϩʔόϧঢ়ଶΛҾ਺΁ม׵͢Δ  (όον͔Βͷมߋ͸ෆՄ)

82.

// ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ { "updateRequired": true, "domain": "www.example.com", "endpoint": "https://...." }
// ͋Δόονͷग़ྗ { "updateRequired": true }

83.

// ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ { "updateRequired": true, "domain": "www.example.com", "endpoint": "https://...." }
// ͋Δόονͷग़ྗ { "updateRequired": true } όονͷग़ྗΛάϩʔόϧͳঢ়ଶ΁ม׵  (౰વɺग़ྗ͸ޙ͔ΒมߋෆՄ)

84.

όονॲཧͷ߹੒ • operand: ֤εςοϓ • operator: ϫʔΫϑϩʔΤϯδϯ

85.

όονॲཧͷ߹੒ • operand: ֤εςοϓ; AWS Lambda • operator: ϫʔΫϑϩʔΤϯδϯ; AWS
StepFunctions

86.

΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏ͷ ϐλΰϥεΠον@͸ͯͳϒϩά • ϫʔΫϑϩʔΤϯδϯ: AWS StepFunctions • ……ͱͦΕΒ͔Β࣮ߦ͞ΕΔAWS Lambda •
pub/sub: DynamoDB TTL Trigger

87.

࠶: ΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏ ͷϐλΰϥεΠον • ϫʔΫϑϩʔΤϯδϯͷಋೖ • ࣮ߦεςοϓશ༰Λ೺Ѳ͠΍͘͢ • ͦΕͱߴ౓ʹ౷߹͞Εͨόον࣮ߦ؀ڥ͕͋Δͱͳ͓Α͍ •
pub/subϞσϧͰର৅σʔλͷ૿Ճʹର͠εέʔϧͤ͞Δ • ॲཧ͢Δσʔλ୯ҐΛෳ਺ˠ1ͭ΁ • ͍ͭͰʹσʔλετΞ΁ঢ়ଶ͕ڽू͞ΕΔ

88.

·ͱΊ

89.

·ͱΊ • ιϑτ΢ΣΞߏஙҰൠͷݪଇ͕࢖͑Δ • άϩʔόϧͳঢ়ଶΛ࣋ͨͳ͍ɾม͑ͳ͍ɾ࣋ͪࠐ·ͤͳ͍ • ॲཧ୯ҐΛͰ͖Δ͚ͩখ͘͞ɺࣦഊΛ೺Ѳ͠΍͘͢ • ͜ΕΒΛ࣮ݱ͢ΔͨΊͷҰྫͱͯ͠ •
ϫʔΫϑϩʔΤϯδϯ: AWS StepFunctions • pub/subΛαϙʔτ͢ΔσʔλετΞ: DynamoDB

90.

׬

ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS

ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS

Want more?

Transcript