Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migr...
Search
aereal
May 23, 2018
Technology
14
17k
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS
Hatena Engineer Seminar #10 (
https://hatena.connpass.com/event/87909/
) で発表した資料です。
aereal
May 23, 2018
Tweet
Share
More Decks by aereal
See All by aereal
How to send distibuted traces to Datadog using build own OpenTelemetry-Lambda distribution
aereal
3
200
好きな技術《コト》で、 生きていく技術 / life with what you like
aereal
5
2.3k
qron: Cloud Native Cron Alternativeの今
aereal
2
2.1k
自動作曲入門 / introduction to programatic music composition
aereal
1
530k
はてなブログ タグとCDK / The epic of AWS CDK and Hatena Blog Tag
aereal
3
200k
はてなブログ タグの技術選択 / The technical details of Hatena Blog Tag
aereal
3
200k
ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS
aereal
3
400k
ScalaとPerlでMicroservices in production / Building microservices with Perl and Scala in production
aereal
0
5.3k
Scalaで自動作曲の練習 / A study of automatic composition in Scala
aereal
1
390k
Other Decks in Technology
See All in Technology
Terraform Stacks入門 #HashiTalks
msato
0
350
Lambdaと地方とコミュニティ
miu_crescent
2
360
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
CysharpのOSS群から見るModern C#の現在地
neuecc
1
3k
いざ、BSC討伐の旅
nikinusu
2
770
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
150
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
480
複雑なState管理からの脱却
sansantech
PRO
1
130
AGIについてChatGPTに聞いてみた
blueb
0
130
Featured
See All Featured
Statistics for Hackers
jakevdp
796
220k
Producing Creativity
orderedlist
PRO
341
39k
Optimizing for Happiness
mojombo
376
70k
Fireside Chat
paigeccino
34
3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
4 Signs Your Business is Dying
shpigford
180
21k
A Modern Web Designer's Workflow
chriscoyier
693
190k
We Have a Design System, Now What?
morganepeng
50
7.2k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Transcript
AWSͰͯͳϒϩάͷ ৗ࣌HTTPS৴Λ όʔϯͱΔ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾͯͳ
id:aereal
ࣗݾհ • id:aereal • GitHub: aereal • Twitter: aereal •
ϒϩάϢʔβʔνʔϜ ΞϓϦέʔγϣϯΤϯδχΞ ςοΫϦʔυ
͢͜ͱ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ
എܠ • ͯͳϒϩάͰɺͯͳఏڙυϝΠϯͷ ͍ͣΕ͔͔Βબ·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞ΒʹɺͯͳϒϩάPro
(༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ ಠࣗυϝΠϯ͕͑·͢ • ಠࣗυϝΠϯͰৗ࣌HTTPS৴Λ࣮ݱ͍ͨ͠
Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research
Group͕ఏڙ͢Δ ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟͷυϝΠϯʹର͢Δ ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ
Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS৴ʹ͔ܽͤͳ͍ଘࡏɺવ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ ·ͨܝ͛Δࢥʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ ͯͳLet's
EncryptʹدΛ͠·͢
ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ͕Ε͍ͯΔͷͰূ໌ॻ1ͭͷஔͰࡁΉ • SAN
(= Subject Alternative Names) Λ͏ • ϫΠϧυΧʔυূ໌ॻΛ͏
ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ͕ଟ͍ͷͰূ໌ॻͷൃߦಡΈࠐΈେม • LE = Let's Encryptূ໌ॻ͋ͨΓ
100υϝΠϯͷ੍͕͋Δ • ҰʹಡΈࠐΉͱproxyͷϝϞϦ༻ྔ͕ਹΉ
ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ1υϝΠϯ1ͭɺSANΘͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ • ϘτϧωοΫʹͳΓ͏ΔͷͰ ϥϯυτϦοϓɺϨΠςϯγΛ͍͑ͨ
ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͍ • ظݶΛܴ͑Δ·ͰͷҙͷλΠϛϯάͰ ࣮ߦ͢ΕΑ͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍
• ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍ →దͳϦτϥΠॲཧ͕ඞཁ
γεςϜͷߏ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಡΈࠐΈ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ
• cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹอଘ͢Δ
ূ໌ॻͷऔಘ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧঢ়ଶભҠΛཧͰ͖Δ
• cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻDynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛͯͳϒϩάຊମʹ͑Δ
ূ໌ॻͷఆظߋ৽
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •
cert-update-trigger: AWS Lambda • TTL͕Εͯআ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝
DynamoDB TTL
cert-lifecycle-store (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
ͳͥAWS͔ • ෳࡶ͔ͭߴͳόονΛߏஙʹඞཁͳαʔϏε͕ ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨ͳͲෳεςοϓ͔Β ͳΔ • ߴ:
ࢄΞϓϦέʔγϣϯʹؔΘΒͣ σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.
Step Functions࠷ߴ • ग़ྗ༰ʹԠͯ͡ঢ়ଶભҠΛذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ༰ʹԠ্ͨ͡ݶ͖ϦτϥΠॲཧ •
ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
None
None
Go • Lambda functionͯ͢Go, cert-cache-gwGo • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ
ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ
ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦͨ࣍͠ੈTSDBͷઃܭʹؔΘͬͨ id:y_uukiʹڠྗͯ͠Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά
(1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨͷݟੵΓ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • GoॳֶऀͩͬͨϝϯόʔצΛ௫Ίͯɺຊ࣮ͰఆҎ্ʹ ϕϩγςΟ͕҆ఆͨ͠
ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦ (cert-loader) Λ։ൃ • ͜ͷ࣌Ͱ·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹͳ ͍ • ࣍ʹূ໌ॻऔಘ෦
(cert-updater) Λ։ൃ • ͜ͷ෦ΛϦϦʔε͢Δ͜ͱͰ͡Ίͯ ಠࣗυϝΠϯͰHTTPS৴͕ར༻ՄೳʹͳΔ
ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦׂ͕ͳ͞Εͨ • command: cert-updater • query:
cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏ ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ
·ͱΊ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷཪଆΛ͝հ͠·ͨ͠ • ։ൃॱௐͰɺࠂ௨ΓͷεέδϡʔϧͰ ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮Perl͚ͩ͡Όͳ͍͠ɺAWS׆༻͍ͯ͠·͢!
એ: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓΓ·͢ • લߨٛͷݴޠGoͰ͢
aereal
msato
miu_crescent
kazzpapa3
sinsoku
coincheck_recruit
neuecc
nikinusu
yoshidashingo
kakehashi
kazuhitotakahashi
sansantech
blueb
jakevdp
orderedlist
mojombo
paigeccino
sugarenia
wjessup
shpigford
chriscoyier
morganepeng
dougneiner
soudai
mraible
