Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

3f4be9784f765877f444bc839de29888?s=47 aereal
May 23, 2018
Technology
14
14k

AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

Hatena Engineer Seminar #10 (https://hatena.connpass.com/event/87909/) で発表した資料です。

3f4be9784f765877f444bc839de29888?s=128

aereal

May 23, 2018
Tweet

More Decks by aereal

See All by aereal
3f4be9784f765877f444bc839de29888?s=48 aereal
1
530k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
200k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
190k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
380k
3f4be9784f765877f444bc839de29888?s=48 aereal
0
4.5k
3f4be9784f765877f444bc839de29888?s=48 aereal
1
390k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
3.1k
3f4be9784f765877f444bc839de29888?s=48 aereal
0
690
3f4be9784f765877f444bc839de29888?s=48 aereal
6
32k

Other Decks in Technology

See All in Technology
9b2600a82821673d9d0f03cc6f7bc56e?s=48 kloudleinc
0
680
4ab9c4c8dec50dc08b89981e23e111f2?s=48 katsumataryo
3
810
94870c02836167043f37f05ae1032690?s=48 tatsy
0
110
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
2
450
C265a1a7dadb2713ff2262025e91d133?s=48 akabekobeko
0
120
7fb9a8ddaea2ddc368f12a5d08cea86a?s=48 yuu26
1
1k
4ca55ec64603f424638409b6e0ee7e65?s=48 halhira
1
100
F83990c21f948a63f6732144e56dafcc?s=48 michigari
0
190
85da685d91fda190e2e3162d0de248a4?s=48 recruitengineers
0
230
7cd783377515bdf8207062840b7b2f4e?s=48 soracom
0
140
525442fc70ca92f82ae503f826956137?s=48 finengine
0
210
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
1
320

Featured

See All Featured
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
115
10k
B83d5b590577969ee79a5ad845411a7d?s=48 ammeep
656
54k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
294
39k
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
34
1.6k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
21
1.3k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
66
3k
C1daf20e5c49ff910745198ef9869ac2?s=48 hatefulcrawdad
257
17k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
157
6.5k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
32
3.5k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
72
1.5k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
340
16k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
220
15k

Transcript

  1. AWSͰ͸ͯͳϒϩάͷ
 ৗ࣌HTTPS഑৴Λ
 όʔϯͱ΍Δ࿩ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾ͸ͯͳ

    id:aereal

  2. ࣗݾ঺հ • id:aereal • GitHub: aereal • Twitter: aereal •

    ϒϩάϢʔβʔνʔϜ
 ΞϓϦέʔγϣϯΤϯδχΞ
 ςοΫϦʔυ

  3. ࿩͢͜ͱ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ

  4. എܠ • ͸ͯͳϒϩάͰ͸ɺ͸ͯͳఏڙυϝΠϯͷ
 ͍ͣΕ͔͔Βબ΂·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞Βʹɺ͸ͯͳϒϩάPro

    (༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ
 ಠࣗυϝΠϯ͕࢖͑·͢ • ಠࣗυϝΠϯͰ΋ৗ࣌HTTPS഑৴Λ࣮ݱ͍ͨ͠

  5. Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research

    Group͕ఏڙ͢Δ
 ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟ਺ͷυϝΠϯʹର͢Δ
 ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ

  6. Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS഑৴ʹ͔ܽͤͳ͍ଘࡏɺ౰વ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ
 ·ͨܝ͛Δࢥ૝ʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ
 ͸ͯͳ͸Let's

    Encryptʹد෇Λ͠·͢

  7. ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͸ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ਺͕஌Ε͍ͯΔͷͰূ໌ॻ1ͭͷ഑ஔͰࡁΉ • SAN

    (= Subject Alternative Names) Λ࢖͏ • ϫΠϧυΧʔυূ໌ॻΛ࢖͏

  8. ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ਺͕ଟ͍ͷͰূ໌ॻͷൃߦ΋ಡΈࠐΈ΋େม • LE = Let's Encrypt͸ূ໌ॻ͋ͨΓ


    100υϝΠϯͷ੍໿͕͋Δ • Ұ౓ʹಡΈࠐΉͱproxyͷϝϞϦ࢖༻ྔ͕ਹΉ

  9. ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ͸1υϝΠϯ1ͭɺSAN͸࢖Θͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ໿ • ϘτϧωοΫʹͳΓ͏ΔͷͰ
 ϥ΢ϯυτϦοϓɺϨΠςϯγΛ཈͍͑ͨ

  10. ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͸௿͍ • ظݶΛܴ͑Δ·Ͱͷ೚ҙͷλΠϛϯάͰ
 ࣮ߦ͢Ε͹Α͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍

    • ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍
 →ద੾ͳϦτϥΠॲཧ͕ඞཁ

  11. γεςϜͷߏ੒

  12. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  13. ূ໌ॻͷಡΈࠐΈ

  14. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  15. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  16. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  17. ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺ͹ΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ

    • cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹ΋อଘ͢Δ

  18. ূ໌ॻͷऔಘ

  19. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  20. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  21. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  22. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  23. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  24. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  25. ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧ΍ঢ়ଶભҠΛ؅ཧͰ͖Δ

    • cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻ͸DynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛ͸ͯͳϒϩάຊମʹ఻͑Δ

  26. ূ໌ॻͷఆظߋ৽

  27. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  28. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  29. ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹ΋ॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •

    cert-update-trigger: AWS Lambda • TTL͕੾Εͯ࡟আ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝

  30. DynamoDB TTL

  31. cert-lifecycle-store
 (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  32. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  33. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  34. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  35. ͳͥAWS͔ • ෳࡶ͔ͭߴ౓ͳόονΛߏஙʹඞཁͳαʔϏε͕
 ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨஌ͳͲෳ਺εςοϓ͔Β ͳΔ • ߴ౓:

    ෼ࢄΞϓϦέʔγϣϯʹ΋ؔΘΒͣ
 σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.

  36. Step Functions͸࠷ߴ • ग़ྗ಺༰ʹԠͯ͡ঢ়ଶભҠΛ෼ذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ಺༰ʹԠ্ͨ͡ݶ෇͖ϦτϥΠॲཧ •

    ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
  37. None
  38. None

  39. Go • Lambda function͸͢΂ͯGo, cert-cache-gw΋Go • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ


    ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕੒ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ

  40. ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦ࢖ͨ࣍͠ੈ୅TSDBͷઃܭʹؔΘͬͨ
 id:y_uukiʹڠྗͯ͠΋Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά

    (1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨ఺ͷݟੵ΋Γ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • Goॳֶऀͩͬͨϝϯόʔ΋צΛ௫Ίͯɺຊ࣮૷Ͱ૝ఆҎ্ʹ
 ϕϩγςΟ͕҆ఆͨ͠

  41. ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦෼ (cert-loader) Λ։ൃ • ͜ͷ࣌఺Ͱ͸·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹ͸ͳ ͍ • ࣍ʹূ໌ॻऔಘ෦෼

    (cert-updater) Λ։ൃ • ͜ͷ෦෼ΛϦϦʔε͢Δ͜ͱͰ͸͡Ίͯ
 ಠࣗυϝΠϯͰHTTPS഑৴͕ར༻ՄೳʹͳΔ

  42. ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦ෼ׂ͕ͳ͞Εͨ • command: cert-updater • query:

    cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ
 ෼ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏
 ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ

  43. ·ͱΊ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷཪଆΛ͝঺հ͠·ͨ͠ • ։ൃ͸ॱௐͰɺࠂ஌௨ΓͷεέδϡʔϧͰ
 ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮͸Perl͚ͩ͡Όͳ͍͠ɺAWS΋׆༻͍ͯ͠·͢!

  44. એ఻: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓ೥΋΍Γ·͢ • લ൒ߨٛͷݴޠ͸GoͰ͢

  45. ׬