Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migr...
Search
aereal
May 23, 2018
Technology
14
18k
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS
Hatena Engineer Seminar #10 (
https://hatena.connpass.com/event/87909/
) で発表した資料です。
aereal
May 23, 2018
Tweet
Share
More Decks by aereal
See All by aereal
盆栽転じて家具となる / Bonsai and Furnitures
aereal
0
4.7k
How to send distibuted traces to Datadog using build own OpenTelemetry-Lambda distribution
aereal
3
270
好きな技術《コト》で、 生きていく技術 / life with what you like
aereal
5
3.9k
qron: Cloud Native Cron Alternativeの今
aereal
2
2.7k
自動作曲入門 / introduction to programatic music composition
aereal
1
530k
はてなブログ タグとCDK / The epic of AWS CDK and Hatena Blog Tag
aereal
2
200k
はてなブログ タグの技術選択 / The technical details of Hatena Blog Tag
aereal
3
200k
ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS
aereal
3
400k
ScalaとPerlでMicroservices in production / Building microservices with Perl and Scala in production
aereal
0
5.5k
Other Decks in Technology
See All in Technology
AIエージェント最前線! Amazon Bedrock、Amazon Q、そしてMCPを使いこなそう
minorun365
PRO
13
5k
Snowflake Summit 2025 データエンジニアリング関連新機能紹介 / Snowflake Summit 2025 What's New about Data Engineering
tiltmax3
0
310
PostgreSQL 18 cancel request key長の変更とRailsへの関連
yahonda
0
120
第9回情シス転職ミートアップ_テックタッチ株式会社
forester3003
0
220
GeminiとNotebookLMによる金融実務の業務革新
abenben
0
220
Claude Code Actionを使ったコード品質改善の取り組み
potix2
PRO
6
2.2k
Model Mondays S2E02: Model Context Protocol
nitya
0
220
強化されたAmazon Location Serviceによる新機能と開発者体験
dayjournal
2
200
Amazon Bedrockで実現する 新たな学習体験
kzkmaeda
1
530
Node-REDのFunctionノードでMCPサーバーの実装を試してみた / Node-RED × MCP 勉強会 vol.1
you
PRO
0
110
“社内”だけで完結していた私が、AWS Community Builder になるまで
nagisa53
1
370
A2Aのクライアントを自作する
rynsuke
1
170
Featured
See All Featured
BBQ
matthewcrist
89
9.7k
Building a Modern Day E-commerce SEO Strategy
aleyda
41
7.3k
GraphQLとの向き合い方2022年版
quramy
47
14k
Typedesign – Prime Four
hannesfritz
42
2.7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Embracing the Ebb and Flow
colly
86
4.7k
Navigating Team Friction
lara
187
15k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
790
Docker and Python
trallard
44
3.4k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
The World Runs on Bad Software
bkeepers
PRO
69
11k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.5k
Transcript
AWSͰͯͳϒϩάͷ ৗ࣌HTTPS৴Λ όʔϯͱΔ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾͯͳ
id:aereal
ࣗݾհ • id:aereal • GitHub: aereal • Twitter: aereal •
ϒϩάϢʔβʔνʔϜ ΞϓϦέʔγϣϯΤϯδχΞ ςοΫϦʔυ
͢͜ͱ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ
എܠ • ͯͳϒϩάͰɺͯͳఏڙυϝΠϯͷ ͍ͣΕ͔͔Βબ·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞ΒʹɺͯͳϒϩάPro
(༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ ಠࣗυϝΠϯ͕͑·͢ • ಠࣗυϝΠϯͰৗ࣌HTTPS৴Λ࣮ݱ͍ͨ͠
Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research
Group͕ఏڙ͢Δ ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟͷυϝΠϯʹର͢Δ ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ
Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS৴ʹ͔ܽͤͳ͍ଘࡏɺવ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ ·ͨܝ͛Δࢥʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ ͯͳLet's
EncryptʹدΛ͠·͢
ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ͕Ε͍ͯΔͷͰূ໌ॻ1ͭͷஔͰࡁΉ • SAN
(= Subject Alternative Names) Λ͏ • ϫΠϧυΧʔυূ໌ॻΛ͏
ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ͕ଟ͍ͷͰূ໌ॻͷൃߦಡΈࠐΈେม • LE = Let's Encryptূ໌ॻ͋ͨΓ
100υϝΠϯͷ੍͕͋Δ • ҰʹಡΈࠐΉͱproxyͷϝϞϦ༻ྔ͕ਹΉ
ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ1υϝΠϯ1ͭɺSANΘͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ • ϘτϧωοΫʹͳΓ͏ΔͷͰ ϥϯυτϦοϓɺϨΠςϯγΛ͍͑ͨ
ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͍ • ظݶΛܴ͑Δ·ͰͷҙͷλΠϛϯάͰ ࣮ߦ͢ΕΑ͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍
• ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍ →దͳϦτϥΠॲཧ͕ඞཁ
γεςϜͷߏ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಡΈࠐΈ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ
• cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹอଘ͢Δ
ূ໌ॻͷऔಘ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧঢ়ଶભҠΛཧͰ͖Δ
• cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻDynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛͯͳϒϩάຊମʹ͑Δ
ূ໌ॻͷఆظߋ৽
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache
cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ
ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •
cert-update-trigger: AWS Lambda • TTL͕Εͯআ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝
DynamoDB TTL
cert-lifecycle-store (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00
Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
cert-lifecycle-store (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00
ͳͥAWS͔ • ෳࡶ͔ͭߴͳόονΛߏஙʹඞཁͳαʔϏε͕ ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨ͳͲෳεςοϓ͔Β ͳΔ • ߴ:
ࢄΞϓϦέʔγϣϯʹؔΘΒͣ σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.
Step Functions࠷ߴ • ग़ྗ༰ʹԠͯ͡ঢ়ଶભҠΛذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ༰ʹԠ্ͨ͡ݶ͖ϦτϥΠॲཧ •
ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
None
None
Go • Lambda functionͯ͢Go, cert-cache-gwGo • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ
ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ
ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦͨ࣍͠ੈTSDBͷઃܭʹؔΘͬͨ id:y_uukiʹڠྗͯ͠Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά
(1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨͷݟੵΓ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • GoॳֶऀͩͬͨϝϯόʔצΛ௫Ίͯɺຊ࣮ͰఆҎ্ʹ ϕϩγςΟ͕҆ఆͨ͠
ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦ (cert-loader) Λ։ൃ • ͜ͷ࣌Ͱ·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹͳ ͍ • ࣍ʹূ໌ॻऔಘ෦
(cert-updater) Λ։ൃ • ͜ͷ෦ΛϦϦʔε͢Δ͜ͱͰ͡Ίͯ ಠࣗυϝΠϯͰHTTPS৴͕ར༻ՄೳʹͳΔ
ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦׂ͕ͳ͞Εͨ • command: cert-updater • query:
cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏ ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ
·ͱΊ • ͯͳϒϩάͷৗ࣌HTTPS৴ͷཪଆΛ͝հ͠·ͨ͠ • ։ൃॱௐͰɺࠂ௨ΓͷεέδϡʔϧͰ ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮Perl͚ͩ͡Όͳ͍͠ɺAWS׆༻͍ͯ͠·͢!
એ: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓΓ·͢ • લߨٛͷݴޠGoͰ͢
aereal
minorun365
tiltmax3
yahonda
forester3003
abenben
potix2
nitya
dayjournal
kzkmaeda
you
nagisa53
rynsuke
matthewcrist
aleyda
quramy
hannesfritz
marcelosomers
colly
lara
irinanazarova
trallard
samlambert
bkeepers
eileencodes
