$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migr...
Search
aereal
May 23, 2018
Technology
14
18k
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS
Hatena Engineer Seminar #10 (
https://hatena.connpass.com/event/87909/
) で発表した資料です。
aereal
May 23, 2018
Tweet
Share
More Decks by aereal
See All by aereal
盆栽転じて家具となる / Bonsai and Furnitures
aereal
0
5.8k
How to send distibuted traces to Datadog using build own OpenTelemetry-Lambda distribution
aereal
3
300
好きな技術《コト》で、 生きていく技術 / life with what you like
aereal
5
4.6k
qron: Cloud Native Cron Alternativeの今
aereal
2
3k
自動作曲入門 / introduction to programatic music composition
aereal
1
530k
はてなブログ タグとCDK / The epic of AWS CDK and Hatena Blog Tag
aereal
2
200k
はてなブログ タグの技術選択 / The technical details of Hatena Blog Tag
aereal
3
200k
ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS
aereal
3
400k
ScalaとPerlでMicroservices in production / Building microservices with Perl and Scala in production
aereal
0
5.5k
Other Decks in Technology
See All in Technology
Noを伝える技術2025: 爆速合意形成のためのNICOフレームワーク速習 #pmconf2025
aki_iinuma
2
2.1k
法人支出管理領域におけるソフトウェアアーキテクチャに基づいたテスト戦略の実践
ogugu9
1
210
品質のための共通認識
kakehashi
PRO
3
220
Sansanが実践する Platform EngineeringとSREの協創
sansantech
PRO
2
730
【pmconf2025】PdMの「責任感」がチームを弱くする?「分業型」から全員がユーザー価値に本気で向き合う「共創型開発チーム」への変遷
toshimasa012345
0
280
Lambdaの常識はどう変わる?!re:Invent 2025 before after
iwatatomoya
1
390
新 Security HubがついにGA!仕組みや料金を深堀り #AWSreInvent #regrowth / AWS Security Hub Advanced GA
masahirokawahara
1
1.6k
エンジニアとPMのドメイン知識の溝をなくす、 AIネイティブな開発プロセス
applism118
4
1.1k
チーリンについて
hirotomotaguchi
5
1.4k
学習データって増やせばいいんですか?
ftakahashi
2
280
今年のデータ・ML系アップデートと気になるアプデのご紹介
nayuts
1
200
Microsoft Agent 365 を 30 分でなんとなく理解する
skmkzyk
1
1k
Featured
See All Featured
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
10
720
Large-scale JavaScript Application Architecture
addyosmani
515
110k
A Tale of Four Properties
chriscoyier
162
23k
Testing 201, or: Great Expectations
jmmastey
46
7.8k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
54k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.8k
Making Projects Easy
brettharned
120
6.5k
Imperfection Machines: The Place of Print at Facebook
scottboms
269
13k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
700
jQuery: Nuts, Bolts and Bling
dougneiner
65
8.2k
Designing for humans not robots
tammielis
254
26k
Transcript
AWSͰͯͳϒϩάͷ ৗ࣌HTTPS৴Λ όʔϯͱΔ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾͯͳ
id:aereal
ࣗݾհ • id:aereal • GitHub: aereal • Twitter: aereal •
ϒϩάϢʔβʔνʔϜ ΞϓϦέʔγϣϯΤϯδχΞ ςοΫϦʔυ
͢͜ͱ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ
എܠ • ͯͳϒϩάͰɺͯͳఏڙυϝΠϯͷ ͍ͣΕ͔͔Βબ·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞ΒʹɺͯͳϒϩάPro
(༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ ಠࣗυϝΠϯ͕͑·͢ • ಠࣗυϝΠϯͰৗ࣌HTTPS৴Λ࣮ݱ͍ͨ͠
Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research
Group͕ఏڙ͢Δ ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟͷυϝΠϯʹର͢Δ ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ
Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS৴ʹ͔ܽͤͳ͍ଘࡏɺવ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ ·ͨܝ͛Δࢥʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ ͯͳLet's
EncryptʹدΛ͠·͢
ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ͕Ε͍ͯΔͷͰূ໌ॻ1ͭͷஔͰࡁΉ • SAN
(= Subject Alternative Names) Λ͏ • ϫΠϧυΧʔυূ໌ॻΛ͏
ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ͕ଟ͍ͷͰূ໌ॻͷൃߦಡΈࠐΈେม • LE = Let's Encryptূ໌ॻ͋ͨΓ
100υϝΠϯͷ੍͕͋Δ • ҰʹಡΈࠐΉͱproxyͷϝϞϦ༻ྔ͕ਹΉ
ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ1υϝΠϯ1ͭɺSANΘͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ • ϘτϧωοΫʹͳΓ͏ΔͷͰ ϥϯυτϦοϓɺϨΠςϯγΛ͍͑ͨ
ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͍ • ظݶΛܴ͑Δ·ͰͷҙͷλΠϛϯάͰ ࣮ߦ͢ΕΑ͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍
• ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍ →దͳϦτϥΠॲཧ͕ඞཁ
γεςϜͷߏ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಡΈࠐΈ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ
• cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹอଘ͢Δ
ূ໌ॻͷऔಘ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧঢ়ଶભҠΛཧͰ͖Δ
• cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻDynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛͯͳϒϩάຊମʹ͑Δ
ূ໌ॻͷఆظߋ৽
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •
cert-update-trigger: AWS Lambda • TTL͕Εͯআ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝
DynamoDB TTL
cert-lifecycle-store (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
ͳͥAWS͔ • ෳࡶ͔ͭߴͳόονΛߏஙʹඞཁͳαʔϏε͕ ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨ͳͲෳεςοϓ͔Β ͳΔ • ߴ:
ࢄΞϓϦέʔγϣϯʹؔΘΒͣ σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.
Step Functions࠷ߴ • ग़ྗ༰ʹԠͯ͡ঢ়ଶભҠΛذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ༰ʹԠ্ͨ͡ݶ͖ϦτϥΠॲཧ •
ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
None
None
Go • Lambda functionͯ͢Go, cert-cache-gwGo • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ
ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ
ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦͨ࣍͠ੈTSDBͷઃܭʹؔΘͬͨ id:y_uukiʹڠྗͯ͠Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά
(1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨͷݟੵΓ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • GoॳֶऀͩͬͨϝϯόʔצΛ௫Ίͯɺຊ࣮ͰఆҎ্ʹ ϕϩγςΟ͕҆ఆͨ͠
ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦ (cert-loader) Λ։ൃ • ͜ͷ࣌Ͱ·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹͳ ͍ • ࣍ʹূ໌ॻऔಘ෦
(cert-updater) Λ։ൃ • ͜ͷ෦ΛϦϦʔε͢Δ͜ͱͰ͡Ίͯ ಠࣗυϝΠϯͰHTTPS৴͕ར༻ՄೳʹͳΔ
ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦׂ͕ͳ͞Εͨ • command: cert-updater • query:
cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏ ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ
·ͱΊ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷཪଆΛ͝հ͠·ͨ͠ • ։ൃॱௐͰɺࠂ௨ΓͷεέδϡʔϧͰ ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮Perl͚ͩ͡Όͳ͍͠ɺAWS׆༻͍ͯ͠·͢!
એ: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓΓ·͢ • લߨٛͷݴޠGoͰ͢
aereal
aki_iinuma
ogugu9
kakehashi
sansantech
toshimasa012345
iwatatomoya
masahirokawahara
applism118
hirotomotaguchi
ftakahashi
nayuts
skmkzyk
tammyeverts
addyosmani
chriscoyier
jmmastey
eileencodes
brettharned
scottboms
bluesmoon
dougneiner
tammielis
