Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migr...
Search
aereal
May 23, 2018
Technology
14
18k
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS
Hatena Engineer Seminar #10 (
https://hatena.connpass.com/event/87909/
) で発表した資料です。
aereal
May 23, 2018
Tweet
Share
More Decks by aereal
See All by aereal
盆栽転じて家具となる / Bonsai and Furnitures
aereal
0
4.4k
How to send distibuted traces to Datadog using build own OpenTelemetry-Lambda distribution
aereal
3
260
好きな技術《コト》で、 生きていく技術 / life with what you like
aereal
5
3.7k
qron: Cloud Native Cron Alternativeの今
aereal
2
2.6k
自動作曲入門 / introduction to programatic music composition
aereal
1
530k
はてなブログ タグとCDK / The epic of AWS CDK and Hatena Blog Tag
aereal
3
200k
はてなブログ タグの技術選択 / The technical details of Hatena Blog Tag
aereal
3
200k
ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS
aereal
3
400k
ScalaとPerlでMicroservices in production / Building microservices with Perl and Scala in production
aereal
0
5.5k
Other Decks in Technology
See All in Technology
SwiftUIとMetalで簡単に作るレアカード風UI
stoticdev
1
110
Web Streams APIの基本と実践、TypeScriptでの活用法 / TSKaigi 2025 Web Streams API
tasshi
4
430
ホワイトボックス& SONiC アーキテクチャ(全体像) - SONiC Workshop Japan 2025
ebiken
PRO
1
450
WindowsでGenesisに挑戦した話
natsutan
0
130
テストコードにはテストの意図を込めよう(2025年版) #retechtalk / Put the intent of the test 2025
nihonbuson
PRO
14
2.3k
Azure AI Foundry Agent Serviceを使用してコードファースト アプリを構築する
tomokusaba
1
110
激動の一年を通じて見えてきた「技術でリードする」ということ
ktr_0731
8
8.6k
名単体テスト 禁断の傀儡(モック)
iwamot
PRO
1
340
フロントエンドがTypeScriptなら、バックエンドはPHPでもいいじゃない/php-is-not-bad
hanhan1978
3
1k
20250514 1Passwordを使い倒す道場 vol.1
east_takumi
0
170
OpenTelemetry SpanProcessor を Let's カスタマイズ!
phaya72
1
110
encoding/json v2を予習しよう!
yuyu_hf
PRO
1
230
Featured
See All Featured
Designing Experiences People Love
moore
142
24k
Adopting Sorbet at Scale
ufuk
76
9.4k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
52
2.7k
Git: the NoSQL Database
bkeepers
PRO
430
65k
4 Signs Your Business is Dying
shpigford
183
22k
Code Review Best Practice
trishagee
68
18k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.3k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
14
1.5k
Into the Great Unknown - MozCon
thekraken
38
1.8k
Building Applications with DynamoDB
mza
94
6.4k
A better future with KSS
kneath
239
17k
Transcript
AWSͰͯͳϒϩάͷ ৗ࣌HTTPS৴Λ όʔϯͱΔ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾͯͳ
id:aereal
ࣗݾհ • id:aereal • GitHub: aereal • Twitter: aereal •
ϒϩάϢʔβʔνʔϜ ΞϓϦέʔγϣϯΤϯδχΞ ςοΫϦʔυ
͢͜ͱ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ
എܠ • ͯͳϒϩάͰɺͯͳఏڙυϝΠϯͷ ͍ͣΕ͔͔Βબ·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞ΒʹɺͯͳϒϩάPro
(༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ ಠࣗυϝΠϯ͕͑·͢ • ಠࣗυϝΠϯͰৗ࣌HTTPS৴Λ࣮ݱ͍ͨ͠
Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research
Group͕ఏڙ͢Δ ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟͷυϝΠϯʹର͢Δ ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ
Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS৴ʹ͔ܽͤͳ͍ଘࡏɺવ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ ·ͨܝ͛Δࢥʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ ͯͳLet's
EncryptʹدΛ͠·͢
ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ͕Ε͍ͯΔͷͰূ໌ॻ1ͭͷஔͰࡁΉ • SAN
(= Subject Alternative Names) Λ͏ • ϫΠϧυΧʔυূ໌ॻΛ͏
ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ͕ଟ͍ͷͰূ໌ॻͷൃߦಡΈࠐΈେม • LE = Let's Encryptূ໌ॻ͋ͨΓ
100υϝΠϯͷ੍͕͋Δ • ҰʹಡΈࠐΉͱproxyͷϝϞϦ༻ྔ͕ਹΉ
ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ1υϝΠϯ1ͭɺSANΘͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ • ϘτϧωοΫʹͳΓ͏ΔͷͰ ϥϯυτϦοϓɺϨΠςϯγΛ͍͑ͨ
ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͍ • ظݶΛܴ͑Δ·ͰͷҙͷλΠϛϯάͰ ࣮ߦ͢ΕΑ͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍
• ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍ →దͳϦτϥΠॲཧ͕ඞཁ
γεςϜͷߏ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಡΈࠐΈ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ
• cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹอଘ͢Δ
ূ໌ॻͷऔಘ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧঢ়ଶભҠΛཧͰ͖Δ
• cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻDynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛͯͳϒϩάຊମʹ͑Δ
ূ໌ॻͷఆظߋ৽
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •
cert-update-trigger: AWS Lambda • TTL͕Εͯআ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝
DynamoDB TTL
cert-lifecycle-store (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
ͳͥAWS͔ • ෳࡶ͔ͭߴͳόονΛߏஙʹඞཁͳαʔϏε͕ ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨ͳͲෳεςοϓ͔Β ͳΔ • ߴ:
ࢄΞϓϦέʔγϣϯʹؔΘΒͣ σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.
Step Functions࠷ߴ • ग़ྗ༰ʹԠͯ͡ঢ়ଶભҠΛذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ༰ʹԠ্ͨ͡ݶ͖ϦτϥΠॲཧ •
ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
None
None
Go • Lambda functionͯ͢Go, cert-cache-gwGo • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ
ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ
ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦͨ࣍͠ੈTSDBͷઃܭʹؔΘͬͨ id:y_uukiʹڠྗͯ͠Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά
(1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨͷݟੵΓ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • GoॳֶऀͩͬͨϝϯόʔצΛ௫Ίͯɺຊ࣮ͰఆҎ্ʹ ϕϩγςΟ͕҆ఆͨ͠
ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦ (cert-loader) Λ։ൃ • ͜ͷ࣌Ͱ·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹͳ ͍ • ࣍ʹূ໌ॻऔಘ෦
(cert-updater) Λ։ൃ • ͜ͷ෦ΛϦϦʔε͢Δ͜ͱͰ͡Ίͯ ಠࣗυϝΠϯͰHTTPS৴͕ར༻ՄೳʹͳΔ
ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦׂ͕ͳ͞Εͨ • command: cert-updater • query:
cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏ ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ
·ͱΊ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷཪଆΛ͝հ͠·ͨ͠ • ։ൃॱௐͰɺࠂ௨ΓͷεέδϡʔϧͰ ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮Perl͚ͩ͡Όͳ͍͠ɺAWS׆༻͍ͯ͠·͢!
એ: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓΓ·͢ • લߨٛͷݴޠGoͰ͢