AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

3f4be9784f765877f444bc839de29888?s=47 aereal
May 23, 2018
Technology
14
14k

AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

Hatena Engineer Seminar #10 (https://hatena.connpass.com/event/87909/) で発表した資料です。

3f4be9784f765877f444bc839de29888?s=128

aereal

May 23, 2018
Tweet

More Decks by aereal

See All by aereal
3f4be9784f765877f444bc839de29888?s=48 aereal
1
530k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
190k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
190k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
380k
3f4be9784f765877f444bc839de29888?s=48 aereal
0
4.4k
3f4be9784f765877f444bc839de29888?s=48 aereal
1
390k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
3k
3f4be9784f765877f444bc839de29888?s=48 aereal
0
600
3f4be9784f765877f444bc839de29888?s=48 aereal
6
32k

Other Decks in Technology

See All in Technology
C5e26822fb2aa64410b50eac63ef7d84?s=48 fill9120
1
210
80c79a9d024d1e1a253893a78189ce6d?s=48 ujnak
1
100
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
0
110
5919537a0ecfa5d4dea704cf878ae90e?s=48 toshimaru
28
10k
Cb88f765dd38cd942c39aacb5abbea06?s=48 ufoo68
1
210
53850955f15249a1a9dc49df6113e400?s=48 line_developers
0
130
6b8e2101579190ad96e747e01c279898?s=48 pauloxnet
0
290
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
0
210
405fe9ab689473f267e2cfbd95f78c75?s=48 kyonmm
0
360
B51ca7a51ae1fd06bc536fe83e6113e2?s=48 kaz29
6
4.3k
5d715b858124e0dd59af1a92e4397acd?s=48 y_temp4
0
100
13725f35541aa680ed5f85d16b85947a?s=48 tacck
0
930

Featured

See All Featured
245cee81a9c424266e5e401d844ea881?s=48 lara
168
9.1k
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
104
10k
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
175
14k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1348
190k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
119
7.7k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
264
16k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
410
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
202
35k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
110
24k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
353
62k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
101
4.7k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
398
20k

Transcript

  1. AWSͰ͸ͯͳϒϩάͷ
 ৗ࣌HTTPS഑৴Λ
 όʔϯͱ΍Δ࿩ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾ͸ͯͳ

    id:aereal

  2. ࣗݾ঺հ • id:aereal • GitHub: aereal • Twitter: aereal •

    ϒϩάϢʔβʔνʔϜ
 ΞϓϦέʔγϣϯΤϯδχΞ
 ςοΫϦʔυ

  3. ࿩͢͜ͱ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ

  4. എܠ • ͸ͯͳϒϩάͰ͸ɺ͸ͯͳఏڙυϝΠϯͷ
 ͍ͣΕ͔͔Βબ΂·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞Βʹɺ͸ͯͳϒϩάPro

    (༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ
 ಠࣗυϝΠϯ͕࢖͑·͢ • ಠࣗυϝΠϯͰ΋ৗ࣌HTTPS഑৴Λ࣮ݱ͍ͨ͠

  5. Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research

    Group͕ఏڙ͢Δ
 ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟ਺ͷυϝΠϯʹର͢Δ
 ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ

  6. Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS഑৴ʹ͔ܽͤͳ͍ଘࡏɺ౰વ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ
 ·ͨܝ͛Δࢥ૝ʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ
 ͸ͯͳ͸Let's

    Encryptʹد෇Λ͠·͢

  7. ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͸ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ਺͕஌Ε͍ͯΔͷͰূ໌ॻ1ͭͷ഑ஔͰࡁΉ • SAN

    (= Subject Alternative Names) Λ࢖͏ • ϫΠϧυΧʔυূ໌ॻΛ࢖͏

  8. ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ਺͕ଟ͍ͷͰূ໌ॻͷൃߦ΋ಡΈࠐΈ΋େม • LE = Let's Encrypt͸ূ໌ॻ͋ͨΓ


    100υϝΠϯͷ੍໿͕͋Δ • Ұ౓ʹಡΈࠐΉͱproxyͷϝϞϦ࢖༻ྔ͕ਹΉ

  9. ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ͸1υϝΠϯ1ͭɺSAN͸࢖Θͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ໿ • ϘτϧωοΫʹͳΓ͏ΔͷͰ
 ϥ΢ϯυτϦοϓɺϨΠςϯγΛ཈͍͑ͨ

  10. ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͸௿͍ • ظݶΛܴ͑Δ·Ͱͷ೚ҙͷλΠϛϯάͰ
 ࣮ߦ͢Ε͹Α͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍

    • ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍
 →ద੾ͳϦτϥΠॲཧ͕ඞཁ

  11. γεςϜͷߏ੒

  12. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  13. ূ໌ॻͷಡΈࠐΈ

  14. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  15. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  16. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  17. ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺ͹ΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ

    • cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹ΋อଘ͢Δ

  18. ূ໌ॻͷऔಘ

  19. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  20. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  21. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  22. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  23. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  24. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  25. ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧ΍ঢ়ଶભҠΛ؅ཧͰ͖Δ

    • cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻ͸DynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛ͸ͯͳϒϩάຊମʹ఻͑Δ

  26. ূ໌ॻͷఆظߋ৽

  27. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  28. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  29. ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹ΋ॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •

    cert-update-trigger: AWS Lambda • TTL͕੾Εͯ࡟আ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝

  30. DynamoDB TTL

  31. cert-lifecycle-store
 (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  32. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  33. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  34. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  35. ͳͥAWS͔ • ෳࡶ͔ͭߴ౓ͳόονΛߏஙʹඞཁͳαʔϏε͕
 ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨஌ͳͲෳ਺εςοϓ͔Β ͳΔ • ߴ౓:

    ෼ࢄΞϓϦέʔγϣϯʹ΋ؔΘΒͣ
 σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.

  36. Step Functions͸࠷ߴ • ग़ྗ಺༰ʹԠͯ͡ঢ়ଶભҠΛ෼ذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ಺༰ʹԠ্ͨ͡ݶ෇͖ϦτϥΠॲཧ •

    ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
  37. None
  38. None

  39. Go • Lambda function͸͢΂ͯGo, cert-cache-gw΋Go • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ


    ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕੒ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ

  40. ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦ࢖ͨ࣍͠ੈ୅TSDBͷઃܭʹؔΘͬͨ
 id:y_uukiʹڠྗͯ͠΋Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά

    (1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨ఺ͷݟੵ΋Γ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • Goॳֶऀͩͬͨϝϯόʔ΋צΛ௫Ίͯɺຊ࣮૷Ͱ૝ఆҎ্ʹ
 ϕϩγςΟ͕҆ఆͨ͠

  41. ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦෼ (cert-loader) Λ։ൃ • ͜ͷ࣌఺Ͱ͸·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹ͸ͳ ͍ • ࣍ʹূ໌ॻऔಘ෦෼

    (cert-updater) Λ։ൃ • ͜ͷ෦෼ΛϦϦʔε͢Δ͜ͱͰ͸͡Ίͯ
 ಠࣗυϝΠϯͰHTTPS഑৴͕ར༻ՄೳʹͳΔ

  42. ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦ෼ׂ͕ͳ͞Εͨ • command: cert-updater • query:

    cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ
 ෼ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏
 ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ

  43. ·ͱΊ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷཪଆΛ͝঺հ͠·ͨ͠ • ։ൃ͸ॱௐͰɺࠂ஌௨ΓͷεέδϡʔϧͰ
 ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮͸Perl͚ͩ͡Όͳ͍͠ɺAWS΋׆༻͍ͯ͠·͢!

  44. એ఻: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓ೥΋΍Γ·͢ • લ൒ߨٛͷݴޠ͸GoͰ͢

  45. ׬