Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
実践nginx〜メルカリの場合〜
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Tatsuhiko Kubo
April 22, 2015
Technology
33k
53
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
実践nginx〜メルカリの場合〜
Tatsuhiko Kubo
April 22, 2015
More Decks by Tatsuhiko Kubo
See All by Tatsuhiko Kubo
Mackerel in さくらのクラウド
cubicdaiya
1
990
Handling a tremendous amount of images with Fastly / Yamagoya Traverse 2020
cubicdaiya
2
1.6k
System Integration with Fastly
cubicdaiya
0
680
実例で学ぶ画像最適化集 with ImageFlux / ImageFlux meetup#2
cubicdaiya
4
20k
Software Engineer, Infrastructure
cubicdaiya
4
3.3k
High Performance Count Up!
cubicdaiya
0
430
ImageFluxを利用した画像配信の最適化 / ImageFlux meetup 201801
cubicdaiya
0
3.1k
Building high performance push notification server in Go
cubicdaiya
5
3.4k
メルカリのデータ分析基盤 / mercari data analysis infrastructure
cubicdaiya
11
12k
Other Decks in Technology
See All in Technology
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
yoshimi0227
0
920
AWS Security Agent といっしょに脅威モデリングをやってみよう
amarelo_n24
1
210
AIは、人間らしい仕事の夢を見るか?─ AI時代のtoB/toEプロダクトを再設計する
techtekt
PRO
0
150
AWS Security Hub CSPMの成功・失敗体験
cmusudakeisuke
0
580
トークン最適化のためのユーザーストーリー分析 / User Story Analysis for Token Optimization
oomatomo
0
110
本当の”仕事”を手放せる未来が見えた
mu7889yoon
0
160
Oracle Cloud Infrastructure:2026年6月度サービス・アップデート
oracle4engineer
PRO
1
360
「軸足」は 固定しなくていい - 熱量と強みで描く、しなやかなキャリアの形
kakehashi
PRO
1
270
気軽に使える"情報のハブ"としてのNotion活用 〜フロー情報の集積点 と、 Claude Code × Notion AI〜
syucream
1
210
Flow 不死:AI 時代 DevOps 的不變本質
cheng_wei_chen
2
540
サイバーエージェントにおけるAI推進戦略と変革への取り組み
shotatsuge
0
590
いまさら聞けない「仕様駆動開発入門」 〜AI活用時代の開発プロセスを考える〜
findy_eventslides
2
230
Featured
See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Docker and Python
trallard
47
3.9k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
sarafernandez
0
210
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
New Earth Scene 8
popppiees
3
2.4k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
210
Being A Developer After 40
akosma
91
590k
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
helenjbeal
1
250
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
210
Navigating Weather and Climate Data
rabernat
0
240
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2.3k
Introduction to Domain-Driven Design and Collaborative software design
baasie
1
870
Transcript
࣮ફnginx ʙϝϧΧϦͷ߹ʙ Tatsuhiko Kubo@cubicdaiya ALM@2015/04/21
ࣗݾհ • ٱอୡ(Tatsuhiko Kubo) • bokko@cubicdaiya • Software Engineer in
Infrastructure Engineering • Mercari, Inc. • Favorites: Go, C, nginx
OSS࡞ͬͨΓίϯτϦϏϡʔτͨ͠Γ
Agenda ϝϧΧϦͰͷnginxͷ׆༻ࣄྫʹ͍ͭͯ
nginx • ੈքͰೋ൪ʹར༻͞Ε͍ͯΔOSSͷHTTPαʔό • C10Kʹ͑ΒΕΔΞʔΩςΫνϟ • Πϕϯτۦಈ • ϊϯϒϩοΩϯάI/O •
ඇಉظI/O • ܰྔͰߴ
ϝϧΧϦͰΑ͋͘Δޫܠ ࣮ࡍʹ͋Δఔू͍ͯ͠·͢
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
ϦόʔεϓϩΩγͱͯ͠ͷnginx • ϦΫΤετͷϩΪϯά • ΞΫηε੍ޚ • ίϯςϯπͷѹॖɾΩϟογϡ • όοϑΝϦϯά •
etc…
nginx.confͷઃఆྫ server { listen 443 ssl spdy; server_name xxx.yyy; #
ϓϩΩγઃఆ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_buffers 50 8k; # ੩తίϯςϯπnginxͰฦ͢ location ~ /(styles|js|images)/ { root /usr/share/zabbix; expires 30d; } # Zabbix(༻ͷgoogle_auth_proxy)ϓϩΩγ location / { proxy_pass http://google_auth_proxy_for_zabbix; } }
લஈʹnginxΛஔ͘ϝϦοτ • HTTP or HTTPSαʔόʹඞཁͳλεΫΛҰ௨Γ͜ͳͤΔ • ΞϓϦέʔγϣϯαʔό(e.g. Unicorn)ʹΓͳ͍ػೳΛิ • ωοτϫʔΫϨΠςϯγͷվળ
• KeepAlive • gzipѹॖ • TLS Session (Cache | Tickets)ɺOCSP Stapling • SPDY • etc…
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
HTTPS௨৴ͷߴԽ • ҰൠʹHTTPS௨৴ͰTCP 3-way handshakeʹՃ͑ͯ TLS 3-way handshake͕ൃੜ͢ΔͷͰHTTP௨৴ΑΓ͘ͳΔ • HTTPS௨৴ߴԽͷͨΊͷࡾछͷਆث
• TLS Session Cache • TLS Session Tickets • OCSP Stapling
TLS Session Cache • TLSϋϯυγΣΠΫͷηογϣϯใΛαʔόʹ Ωϟογϡ • nginxͰڞ༗ϝϞϦ্ʹΩϟογϡ͞ΕΔ • ࣍ճͷTLSϋϯυγΣΠΫΛলུ
• CPUͷϦιʔεͷݮϨΠςϯγͷղফʹޮՌ͕͋Δ
TLS Session Cache with nginx
TLS Session Tickets • ҉߸Խͨ͠ηογϣϯใ(νέοτ)ΛΫϥΠΞϯ τʹ͢ • νέοτΛݩʹTLSηογϣϯΛ࠶։ • HTTPSαʔόෳͰηογϣϯใΛڞ༗Ͱ͖Δ
• εϚϗͩͱαϙʔτ͍ͯ͠Δ͕গͳ͍…
TLS Session Tickets with nginx
OCSP Stapling • OCSPʹΑΔSSLূ໌ॻͷࣦޮ֬ೝΛαʔόଆͰߦͬ ͯΩϟογϡ • ΫϥΠΞϯτଆͰΔͱTLSϋϯυγΣΠΫ࣌ʹϨΠ ςϯγ͕ൃੜ͢Δ • ͬͺΓεϚϗͩͱ͋Μ·ΓରԠͯ͠ͳ͍
• Google Chrome for iOSͩͱରԠͯͨ͠
OCSP Stapling with nginx ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/xxx.yyy.ocsp.crt;
resolver xxx.xxx.xxx.xxx valid=30s; resolver_timeout 5s;
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
SPDY with nginx
Ͱɺ࣮ࡍͷޮՌͱݴ͏ͱ
TLS Session (Cache|Tickets) ಋೖλΠϛϯά
TLS Session (Cache|Tickets) ಋೖλΠϛϯά
SPDY 41%:ಋೖͨ͠ͷϐʔΫ
͏ͪΐͬͱ۩ମతͳྫ
ຊ͔Βւ֎ͷZabbix dashboardʹΞΫηε
Client • MacBookPro • Google Chrome • HTTP/2༗ޮ • ϒϥβΩϟογϡৗʹແޮˣ
Server(ॳظঢ়ଶ) • Apache(prefork) + mod_php • தZabbix • KeepAlive Off
• gzipѹॖແޮ • TLS Session Cache & Tickets༗ޮ
Server(ॳظঢ়ଶ) "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ Ϣʔβೝূ
Zabbix
ύϑΥʔϚϯε(ॳظঢ়ଶ) ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# -PBE5JNF TFD %0.$POUFOU-PBE FE5JNF TFD
νϡʔχϯά ͦͷ1 KeepAlive On KeepAliveΛ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBE FE5JNF TFD TFD TFD
νϡʔχϯά ͦͷ2 <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/js AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/json-rpc </IfModule> gzipѹॖΛ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD
νϡʔχϯάͦͷ3 "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ Ϣʔβೝূ
Zabbix OHJOY 1PSU SSLऴΛnginxͰߦ͏
νϡʔχϯάͦͷ3 # nginx.conf # in main context worker_processes auto; tcp_nopush
on; keepalive_timeout 65s; open_file_cache max=1000 inactive=20s; ssl_session_cache shared:SSL:30m; gzip on; gzip_comp_level 9; gzip_types text/css text/plain text/js text/javascript application/javascript application/json-rpc; # in event context accept_mutex_delay 100ms; # in event context ੩తϑΝΠϧશ෦nginxͰ৴͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD
νϡʔχϯάͦͷ4 listen 443 ssl spdy; SPDY/3.1Λ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD ࠷ऴతʹWebϖʔδͷϩʔυ͕࣌ؒ4ඵ͔Β1ඵʹ
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
OHJOY
൚༻ϓογϡ௨γεςϜ PS CBUDIαʔό
·ͱΊ • nginx • ϝϧΧϦͰαʔϏεɺࣾγεςϜͰ͍ΖΜ ͳՕॴʹڬΜͰ׆༻͍ͯ͠·͢ • L7ϩʔυόϥϯαʔɺϦόϓϩɺSSLऴαʔ όͱͯ͠ͱͯ༏ल •
ࠓޙར༻Օॴ͕૿͑Δ༧ఆ