AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

3f4be9784f765877f444bc839de29888?s=47 aereal
May 23, 2018
Technology
14
14k

AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

Hatena Engineer Seminar #10 (https://hatena.connpass.com/event/87909/) で発表した資料です。

3f4be9784f765877f444bc839de29888?s=128

aereal

May 23, 2018
Tweet

More Decks by aereal

See All by aereal
3f4be9784f765877f444bc839de29888?s=48 aereal
1
530k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
200k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
190k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
380k
3f4be9784f765877f444bc839de29888?s=48 aereal
0
4.4k
3f4be9784f765877f444bc839de29888?s=48 aereal
1
390k
3f4be9784f765877f444bc839de29888?s=48 aereal
3
3k
3f4be9784f765877f444bc839de29888?s=48 aereal
0
630
3f4be9784f765877f444bc839de29888?s=48 aereal
6
32k

Other Decks in Technology

See All in Technology
D2bcabeeb1ddff142fb8988b412cb4d3?s=48 yanzm
5
800
Ab105a906be119156fcacd5cd940f8a4?s=48 knolleary
1
2.2k
A2cac4b3dcb2bc0b87917ddc034ef708?s=48 sansandsoc
1
750
57eb5b1713206c5edb521dde99cc5f30?s=48 key
0
120
25b30e875da37bab1edc8fbc2fe23df7?s=48 _mossann_t
0
330
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.7k
22ac00b36d2057e61ee1c06f0f5dc6cb?s=48 nakazax
2
140
58d1281770fe55a05a96600244ec8341?s=48 kpgalligan
2
190
380bcd2ab751f5838abd8219df53e5fe?s=48 tomoki10
0
240
53850955f15249a1a9dc49df6113e400?s=48 line_developers
0
340
95aaab3d693889550fd2e7ae02f2f789?s=48 takaking22
13
5.1k
1bfc6e2ed04a895bb36f36b86828b689?s=48 110y
1
140

Featured

See All Featured
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
609
54k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1348
190k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
435
28k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
326
35k
78b475797a14c84799063c7cd073962f?s=48 holman
459
270k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
769
190k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
250
11k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
682
180k
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
18
980
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
11
680
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
145
19k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1019
370k

Transcript

  1. AWSͰ͸ͯͳϒϩάͷ
 ৗ࣌HTTPS഑৴Λ
 όʔϯͱ΍Δ࿩ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾ͸ͯͳ

    id:aereal

  2. ࣗݾ঺հ • id:aereal • GitHub: aereal • Twitter: aereal •

    ϒϩάϢʔβʔνʔϜ
 ΞϓϦέʔγϣϯΤϯδχΞ
 ςοΫϦʔυ

  3. ࿩͢͜ͱ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ

  4. എܠ • ͸ͯͳϒϩάͰ͸ɺ͸ͯͳఏڙυϝΠϯͷ
 ͍ͣΕ͔͔Βબ΂·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞Βʹɺ͸ͯͳϒϩάPro

    (༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ
 ಠࣗυϝΠϯ͕࢖͑·͢ • ಠࣗυϝΠϯͰ΋ৗ࣌HTTPS഑৴Λ࣮ݱ͍ͨ͠

  5. Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research

    Group͕ఏڙ͢Δ
 ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟ਺ͷυϝΠϯʹର͢Δ
 ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ

  6. Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS഑৴ʹ͔ܽͤͳ͍ଘࡏɺ౰વ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ
 ·ͨܝ͛Δࢥ૝ʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ
 ͸ͯͳ͸Let's

    Encryptʹد෇Λ͠·͢

  7. ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͸ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ਺͕஌Ε͍ͯΔͷͰূ໌ॻ1ͭͷ഑ஔͰࡁΉ • SAN

    (= Subject Alternative Names) Λ࢖͏ • ϫΠϧυΧʔυূ໌ॻΛ࢖͏

  8. ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ਺͕ଟ͍ͷͰূ໌ॻͷൃߦ΋ಡΈࠐΈ΋େม • LE = Let's Encrypt͸ূ໌ॻ͋ͨΓ


    100υϝΠϯͷ੍໿͕͋Δ • Ұ౓ʹಡΈࠐΉͱproxyͷϝϞϦ࢖༻ྔ͕ਹΉ

  9. ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ͸1υϝΠϯ1ͭɺSAN͸࢖Θͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ໿ • ϘτϧωοΫʹͳΓ͏ΔͷͰ
 ϥ΢ϯυτϦοϓɺϨΠςϯγΛ཈͍͑ͨ

  10. ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͸௿͍ • ظݶΛܴ͑Δ·Ͱͷ೚ҙͷλΠϛϯάͰ
 ࣮ߦ͢Ε͹Α͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍

    • ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍
 →ద੾ͳϦτϥΠॲཧ͕ඞཁ

  11. γεςϜͷߏ੒

  12. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  13. ূ໌ॻͷಡΈࠐΈ

  14. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  15. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  16. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  17. ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺ͹ΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ

    • cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹ΋อଘ͢Δ

  18. ূ໌ॻͷऔಘ

  19. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  20. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  21. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  22. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  23. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  24. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  25. ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧ΍ঢ়ଶભҠΛ؅ཧͰ͖Δ

    • cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻ͸DynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛ͸ͯͳϒϩάຊମʹ఻͑Δ

  26. ূ໌ॻͷఆظߋ৽

  27. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  28. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

  29. ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹ΋ॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •

    cert-update-trigger: AWS Lambda • TTL͕੾Εͯ࡟আ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝

  30. DynamoDB TTL

  31. cert-lifecycle-store
 (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  32. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  33. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  34. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  35. ͳͥAWS͔ • ෳࡶ͔ͭߴ౓ͳόονΛߏஙʹඞཁͳαʔϏε͕
 ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨஌ͳͲෳ਺εςοϓ͔Β ͳΔ • ߴ౓:

    ෼ࢄΞϓϦέʔγϣϯʹ΋ؔΘΒͣ
 σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.

  36. Step Functions͸࠷ߴ • ग़ྗ಺༰ʹԠͯ͡ঢ়ଶભҠΛ෼ذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ಺༰ʹԠ্ͨ͡ݶ෇͖ϦτϥΠॲཧ •

    ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
  37. None
  38. None

  39. Go • Lambda function͸͢΂ͯGo, cert-cache-gw΋Go • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ


    ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕੒ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ

  40. ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦ࢖ͨ࣍͠ੈ୅TSDBͷઃܭʹؔΘͬͨ
 id:y_uukiʹڠྗͯ͠΋Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά

    (1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨ఺ͷݟੵ΋Γ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • Goॳֶऀͩͬͨϝϯόʔ΋צΛ௫Ίͯɺຊ࣮૷Ͱ૝ఆҎ্ʹ
 ϕϩγςΟ͕҆ఆͨ͠

  41. ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦෼ (cert-loader) Λ։ൃ • ͜ͷ࣌఺Ͱ͸·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹ͸ͳ ͍ • ࣍ʹূ໌ॻऔಘ෦෼

    (cert-updater) Λ։ൃ • ͜ͷ෦෼ΛϦϦʔε͢Δ͜ͱͰ͸͡Ίͯ
 ಠࣗυϝΠϯͰHTTPS഑৴͕ར༻ՄೳʹͳΔ

  42. ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦ෼ׂ͕ͳ͞Εͨ • command: cert-updater • query:

    cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ
 ෼ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏
 ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ

  43. ·ͱΊ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷཪଆΛ͝঺հ͠·ͨ͠ • ։ൃ͸ॱௐͰɺࠂ஌௨ΓͷεέδϡʔϧͰ
 ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮͸Perl͚ͩ͡Όͳ͍͠ɺAWS΋׆༻͍ͯ͠·͢!

  44. એ఻: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓ೥΋΍Γ·͢ • લ൒ߨٛͷݴޠ͸GoͰ͢

  45. ׬