Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migr...
Search
aereal
May 23, 2018
Technology
14
18k
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS
Hatena Engineer Seminar #10 (
https://hatena.connpass.com/event/87909/
) で発表した資料です。
aereal
May 23, 2018
Tweet
Share
More Decks by aereal
See All by aereal
盆栽転じて家具となる / Bonsai and Furnitures
aereal
0
4.1k
How to send distibuted traces to Datadog using build own OpenTelemetry-Lambda distribution
aereal
3
250
好きな技術《コト》で、 生きていく技術 / life with what you like
aereal
5
3.5k
qron: Cloud Native Cron Alternativeの今
aereal
2
2.5k
自動作曲入門 / introduction to programatic music composition
aereal
1
530k
はてなブログ タグとCDK / The epic of AWS CDK and Hatena Blog Tag
aereal
3
200k
はてなブログ タグの技術選択 / The technical details of Hatena Blog Tag
aereal
3
200k
ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS
aereal
3
400k
ScalaとPerlでMicroservices in production / Building microservices with Perl and Scala in production
aereal
0
5.4k
Other Decks in Technology
See All in Technology
SRE NEXT CfP チームが語る 聞きたくなるプロポーザルとは / Proposals by the SRE NEXT CfP Team that are sure to be accepted
chaspy
1
340
TopAppBar Composableをカスタムする
hunachi
0
170
生成AI時代のセキュアCI/CDとソース管理
yuriemori
0
100
AWSエンジニアがSAPのデータ抽出してみた
mayumi_hirano
0
110
Amebaにおける Platform Engineeringの実践
kumorn5s
5
820
マルチアカウント管理で必須!AWS Organizationsの機能とユースケース解説
nrinetcom
PRO
1
120
Zabbixチョットデキルとは!?
kujiraitakahiro
0
120
Symfony in 2025: Scaling to 0
fabpot
2
270
Beyond {shiny}: The Future of Mobile Apps with R
colinfay
0
180
やさしいMCP入門
minorun365
PRO
133
76k
コンソールで学ぶ!AWS CodePipelineの機能とオプション
umekou
3
130
モンテカルロ木探索のパフォーマンスを予測する Kaggleコンペ解説 〜生成AIによる未知のゲーム生成〜
rist
4
1.2k
Featured
See All Featured
Statistics for Hackers
jakevdp
798
220k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
31
4.8k
How to Ace a Technical Interview
jacobian
276
23k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
30
1.1k
Making Projects Easy
brettharned
116
6.1k
Code Review Best Practice
trishagee
67
18k
Site-Speed That Sticks
csswizardry
4
460
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
490
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2.1k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Side Projects
sachag
452
42k
Testing 201, or: Great Expectations
jmmastey
42
7.4k
Transcript
AWSͰͯͳϒϩάͷ ৗ࣌HTTPS৴Λ όʔϯͱΔ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾͯͳ
id:aereal
ࣗݾհ • id:aereal • GitHub: aereal • Twitter: aereal •
ϒϩάϢʔβʔνʔϜ ΞϓϦέʔγϣϯΤϯδχΞ ςοΫϦʔυ
͢͜ͱ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ
എܠ • ͯͳϒϩάͰɺͯͳఏڙυϝΠϯͷ ͍ͣΕ͔͔Βબ·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞ΒʹɺͯͳϒϩάPro
(༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ ಠࣗυϝΠϯ͕͑·͢ • ಠࣗυϝΠϯͰৗ࣌HTTPS৴Λ࣮ݱ͍ͨ͠
Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research
Group͕ఏڙ͢Δ ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟͷυϝΠϯʹର͢Δ ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ
Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS৴ʹ͔ܽͤͳ͍ଘࡏɺવ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ ·ͨܝ͛Δࢥʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ ͯͳLet's
EncryptʹدΛ͠·͢
ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ͕Ε͍ͯΔͷͰূ໌ॻ1ͭͷஔͰࡁΉ • SAN
(= Subject Alternative Names) Λ͏ • ϫΠϧυΧʔυূ໌ॻΛ͏
ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ͕ଟ͍ͷͰূ໌ॻͷൃߦಡΈࠐΈେม • LE = Let's Encryptূ໌ॻ͋ͨΓ
100υϝΠϯͷ੍͕͋Δ • ҰʹಡΈࠐΉͱproxyͷϝϞϦ༻ྔ͕ਹΉ
ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ1υϝΠϯ1ͭɺSANΘͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ • ϘτϧωοΫʹͳΓ͏ΔͷͰ ϥϯυτϦοϓɺϨΠςϯγΛ͍͑ͨ
ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͍ • ظݶΛܴ͑Δ·ͰͷҙͷλΠϛϯάͰ ࣮ߦ͢ΕΑ͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍
• ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍ →దͳϦτϥΠॲཧ͕ඞཁ
γεςϜͷߏ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಡΈࠐΈ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ
• cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹอଘ͢Δ
ূ໌ॻͷऔಘ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧঢ়ଶભҠΛཧͰ͖Δ
• cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻDynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛͯͳϒϩάຊମʹ͑Δ
ূ໌ॻͷఆظߋ৽
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •
cert-update-trigger: AWS Lambda • TTL͕Εͯআ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝
DynamoDB TTL
cert-lifecycle-store (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
ͳͥAWS͔ • ෳࡶ͔ͭߴͳόονΛߏஙʹඞཁͳαʔϏε͕ ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨ͳͲෳεςοϓ͔Β ͳΔ • ߴ:
ࢄΞϓϦέʔγϣϯʹؔΘΒͣ σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.
Step Functions࠷ߴ • ग़ྗ༰ʹԠͯ͡ঢ়ଶભҠΛذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ༰ʹԠ্ͨ͡ݶ͖ϦτϥΠॲཧ •
ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
None
None
Go • Lambda functionͯ͢Go, cert-cache-gwGo • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ
ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ
ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦͨ࣍͠ੈTSDBͷઃܭʹؔΘͬͨ id:y_uukiʹڠྗͯ͠Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά
(1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨͷݟੵΓ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • GoॳֶऀͩͬͨϝϯόʔצΛ௫Ίͯɺຊ࣮ͰఆҎ্ʹ ϕϩγςΟ͕҆ఆͨ͠
ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦ (cert-loader) Λ։ൃ • ͜ͷ࣌Ͱ·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹͳ ͍ • ࣍ʹূ໌ॻऔಘ෦
(cert-updater) Λ։ൃ • ͜ͷ෦ΛϦϦʔε͢Δ͜ͱͰ͡Ίͯ ಠࣗυϝΠϯͰHTTPS৴͕ར༻ՄೳʹͳΔ
ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦׂ͕ͳ͞Εͨ • command: cert-updater • query:
cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏ ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ
·ͱΊ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷཪଆΛ͝հ͠·ͨ͠ • ։ൃॱௐͰɺࠂ௨ΓͷεέδϡʔϧͰ ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮Perl͚ͩ͡Όͳ͍͠ɺAWS׆༻͍ͯ͠·͢!
એ: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓΓ·͢ • લߨٛͷݴޠGoͰ͢
aereal
chaspy
hunachi
yuriemori
mayumi_hirano
kumorn5s
nrinetcom
kujiraitakahiro
fabpot
colinfay
minorun365
umekou
rist
jakevdp
kevinliebholz
jacobian
garrettdimon
brettharned
trishagee
csswizardry
addyosmani
bcantrill
aarron
sachag
jmmastey
