AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

3f4be9784f765877f444bc839de29888?s=47 aereal
May 23, 2018
Technology
14
14k

AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

Hatena Engineer Seminar #10 (https://hatena.connpass.com/event/87909/) で発表した資料です。

3f4be9784f765877f444bc839de29888?s=128

aereal

May 23, 2018
Tweet

More Decks by aereal

See All by aereal
3f4be9784f765877f444bc839de29888?s=48 aereal
1
530k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
190k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
190k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
380k
3f4be9784f765877f444bc839de29888?s=48 aereal
0
4.4k
3f4be9784f765877f444bc839de29888?s=48 aereal
1
390k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
3k
3f4be9784f765877f444bc839de29888?s=48 aereal
0
620
3f4be9784f765877f444bc839de29888?s=48 aereal
6
32k

Other Decks in Technology

See All in Technology
B29f42636a5f1249b640473d49aa4514?s=48 linedevth
1
150
467edb2e221a47426f19405f53aa51ca?s=48 nakaly
5
2.6k
34fcd5f1deeb25b1138e9845137feb6e?s=48 kakutani
2
580
5059d3f370ad7e1f4d8de4be79ae1a2c?s=48 rvirus0817
2
300
81603b1fb3b31483780be0700ed183e8?s=48 gabidavila
0
230
107ba69ff7888cacdb4307a28adf5527?s=48 fukuiretu
0
400
61a68b2172503ecdf7a7f7757df56071?s=48 toyship
0
340
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2k
57e8d22493c141fd3c7e7dbe62196c1b?s=48 uenitty
1
290
41088d50c95ab57359a3cb56988cfec7?s=48 ngyt
2
530
344128574661d939ea4cfe969823b774?s=48 syamauchi
0
170
53e2d354b3299d64a54af680865516d5?s=48 satotakeshi
3
590

Featured

See All Featured
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
60
2.4k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
6
640
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
224
8.3k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
1
320
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
251
19k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
345
20k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.3k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
52
1.8k
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
70
7k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
326
35k
245cee81a9c424266e5e401d844ea881?s=48 lara
169
9.2k
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
284
110k

Transcript

  1. AWSͰ͸ͯͳϒϩάͷ
 ৗ࣌HTTPS഑৴Λ
 όʔϯͱ΍Δ࿩ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾ͸ͯͳ

    id:aereal

  2. ࣗݾ঺հ • id:aereal • GitHub: aereal • Twitter: aereal •

    ϒϩάϢʔβʔνʔϜ
 ΞϓϦέʔγϣϯΤϯδχΞ
 ςοΫϦʔυ

  3. ࿩͢͜ͱ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ

  4. എܠ • ͸ͯͳϒϩάͰ͸ɺ͸ͯͳఏڙυϝΠϯͷ
 ͍ͣΕ͔͔Βબ΂·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞Βʹɺ͸ͯͳϒϩάPro

    (༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ
 ಠࣗυϝΠϯ͕࢖͑·͢ • ಠࣗυϝΠϯͰ΋ৗ࣌HTTPS഑৴Λ࣮ݱ͍ͨ͠

  5. Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research

    Group͕ఏڙ͢Δ
 ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟ਺ͷυϝΠϯʹର͢Δ
 ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ

  6. Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS഑৴ʹ͔ܽͤͳ͍ଘࡏɺ౰વ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ
 ·ͨܝ͛Δࢥ૝ʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ
 ͸ͯͳ͸Let's

    Encryptʹد෇Λ͠·͢

  7. ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͸ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ਺͕஌Ε͍ͯΔͷͰূ໌ॻ1ͭͷ഑ஔͰࡁΉ • SAN

    (= Subject Alternative Names) Λ࢖͏ • ϫΠϧυΧʔυূ໌ॻΛ࢖͏

  8. ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ਺͕ଟ͍ͷͰূ໌ॻͷൃߦ΋ಡΈࠐΈ΋େม • LE = Let's Encrypt͸ূ໌ॻ͋ͨΓ


    100υϝΠϯͷ੍໿͕͋Δ • Ұ౓ʹಡΈࠐΉͱproxyͷϝϞϦ࢖༻ྔ͕ਹΉ

  9. ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ͸1υϝΠϯ1ͭɺSAN͸࢖Θͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ໿ • ϘτϧωοΫʹͳΓ͏ΔͷͰ
 ϥ΢ϯυτϦοϓɺϨΠςϯγΛ཈͍͑ͨ

  10. ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͸௿͍ • ظݶΛܴ͑Δ·Ͱͷ೚ҙͷλΠϛϯάͰ
 ࣮ߦ͢Ε͹Α͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍

    • ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍
 →ద੾ͳϦτϥΠॲཧ͕ඞཁ

  11. γεςϜͷߏ੒

  12. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  13. ূ໌ॻͷಡΈࠐΈ

  14. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  15. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  16. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  17. ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺ͹ΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ

    • cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹ΋อଘ͢Δ

  18. ূ໌ॻͷऔಘ

  19. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  20. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  21. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  22. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  23. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  24. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  25. ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧ΍ঢ়ଶભҠΛ؅ཧͰ͖Δ

    • cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻ͸DynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛ͸ͯͳϒϩάຊମʹ఻͑Δ

  26. ূ໌ॻͷఆظߋ৽

  27. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  28. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  29. ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹ΋ॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •

    cert-update-trigger: AWS Lambda • TTL͕੾Εͯ࡟আ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝

  30. DynamoDB TTL

  31. cert-lifecycle-store
 (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  32. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  33. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  34. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  35. ͳͥAWS͔ • ෳࡶ͔ͭߴ౓ͳόονΛߏஙʹඞཁͳαʔϏε͕
 ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨஌ͳͲෳ਺εςοϓ͔Β ͳΔ • ߴ౓:

    ෼ࢄΞϓϦέʔγϣϯʹ΋ؔΘΒͣ
 σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.

  36. Step Functions͸࠷ߴ • ग़ྗ಺༰ʹԠͯ͡ঢ়ଶભҠΛ෼ذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ಺༰ʹԠ্ͨ͡ݶ෇͖ϦτϥΠॲཧ •

    ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
  37. None
  38. None

  39. Go • Lambda function͸͢΂ͯGo, cert-cache-gw΋Go • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ


    ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕੒ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ

  40. ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦ࢖ͨ࣍͠ੈ୅TSDBͷઃܭʹؔΘͬͨ
 id:y_uukiʹڠྗͯ͠΋Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά

    (1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨ఺ͷݟੵ΋Γ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • Goॳֶऀͩͬͨϝϯόʔ΋צΛ௫Ίͯɺຊ࣮૷Ͱ૝ఆҎ্ʹ
 ϕϩγςΟ͕҆ఆͨ͠

  41. ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦෼ (cert-loader) Λ։ൃ • ͜ͷ࣌఺Ͱ͸·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹ͸ͳ ͍ • ࣍ʹূ໌ॻऔಘ෦෼

    (cert-updater) Λ։ൃ • ͜ͷ෦෼ΛϦϦʔε͢Δ͜ͱͰ͸͡Ίͯ
 ಠࣗυϝΠϯͰHTTPS഑৴͕ར༻ՄೳʹͳΔ

  42. ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦ෼ׂ͕ͳ͞Εͨ • command: cert-updater • query:

    cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ
 ෼ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏
 ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ

  43. ·ͱΊ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷཪଆΛ͝঺հ͠·ͨ͠ • ։ൃ͸ॱௐͰɺࠂ஌௨ΓͷεέδϡʔϧͰ
 ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮͸Perl͚ͩ͡Όͳ͍͠ɺAWS΋׆༻͍ͯ͠·͢!

  44. એ఻: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓ೥΋΍Γ·͢ • લ൒ߨٛͷݴޠ͸GoͰ͢

  45. ׬