Upgrade to Pro — share decks privately, control downloads, hide ads and more …

実践nginx〜メルカリの場合〜

5d74d743eabd2bf7d4d2f68b9d3c727d?s=47 Tatsuhiko Kubo
April 22, 2015
Technology
53
31k

 実践nginx〜メルカリの場合〜

5d74d743eabd2bf7d4d2f68b9d3c727d?s=128

Tatsuhiko Kubo

April 22, 2015
Tweet

More Decks by Tatsuhiko Kubo

See All by Tatsuhiko Kubo
Handling a tremendous amount of images with Fastly / Yamagoya Traverse 2020
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
2
970
System Integration with Fastly
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
0
400
実例で学ぶ画像最適化集 with ImageFlux / ImageFlux meetup#2
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
4
17k
Software Engineer, Infrastructure
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
4
2.7k
High Performance Count Up!
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
0
200
ImageFluxを利用した画像配信の最適化 / ImageFlux meetup 201801
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
0
2.2k
Building high performance push notification server in Go
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
5
2.7k
メルカリのデータ分析基盤 / mercari data analysis infrastructure
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
11
11k
On-call Engineering
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
8
5.7k

Other Decks in Technology

See All in Technology
UWBを使ってみた
8b0e9a3684bd29ecece29db2582e38ae?s=48 norioikedo
0
410
Istio入門
72c25016e1baff3eb99a80dfc1e95ca1?s=48 nutslove
15
5k
SI企業が「アジャイル推し」になったら 幸せになれますか?/Can SI company be happy if it becomes “Agile stan” ?
7977a0896e60587b2690550891be2ea7?s=48 chinmo
1
1.2k
ソフトウェアテスト自動化、一歩前へ
73ffa4b34cfd87eb417ee531b8224d7a?s=48 yoshikiito
3
300
PUTとPOSTどっち使う?
65389cd2b6fdc531dcc4af999e864593?s=48 hankehly
0
250
リファインメントは楽しいかね?
F4ea0f5f6211de72f79576d020308de5?s=48 kitamu_mu
1
430
要約 "Add Live Text interaction to your app"
9e64d2069945742c818421e884603b44?s=48 ushisantoasobu
0
150
JAWS-UG re:Habilitaion 報告 / JAWS-UG OITA rehabilitation
5acaf9241f1c2e50f3bff920050ae597?s=48 hiranofumio
0
130
SlackBotで あらゆる業務を自動化。問い合わせ〜DevOpsまで #CODT2022
384ef83de6b166677314f14f99aee1cd?s=48 kogatakanori
0
850
モブに早く慣れたい人のためのガイド / A Guide to Getting Started Quickly with Mob Programming
A97eee01397705443a72a48ce29d3e19?s=48 cybozuinsideout
PRO
2
1.8k
現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19
658c29959d8a9fd352afa440a5813137?s=48 ritou
2
450
miisan's career talk
253f81535853f9fddcadaec9b37dc1e0?s=48 mii3king
0
220

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.6k
Fantastic passwords and where to find them - at NoRuKo
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
27
1.5k
How New CSS Is Changing Everything About Graphic Design on the Web
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
213
11k
Automating Front-end Workflow
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1351
200k
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
40
61k
Mobile First: as difficult as doing things right
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
213
7.5k
The Illustrated Children's Guide to Kubernetes
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
15
36k
Principles of Awesome APIs and How to Build Them.
B47b288784fda77a94aeb234ca743c24?s=48 keavy
113
15k
The Pragmatic Product Professional
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
19
3k
Creatively Recalculating Your Daily Design Routine
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
207
10k
Happy Clients
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
89
5.6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k

Transcript

  1. ࣮ફnginx ʙϝϧΧϦͷ৔߹ʙ Tatsuhiko Kubo@cubicdaiya ALM@2015/04/21

  2. ࣗݾ঺հ • ٱอୡ඙(Tatsuhiko Kubo) • bokko@cubicdaiya • Software Engineer in

    Infrastructure Engineering • Mercari, Inc. • Favorites: Go, C, nginx

  3. OSS࡞ͬͨΓίϯτϦϏϡʔτͨ͠Γ

  4. Agenda ϝϧΧϦͰͷnginxͷ׆༻ࣄྫʹ͍ͭͯ

  5. nginx • ੈքͰೋ൪໨ʹར༻͞Ε͍ͯΔOSSͷHTTPαʔό • C10Kʹ଱͑ΒΕΔΞʔΩςΫνϟ • Πϕϯτۦಈ • ϊϯϒϩοΩϯάI/O •

    ඇಉظI/O • ܰྔͰߴ଎

  6. ϝϧΧϦͰΑ͋͘Δޫܠ ࣮ࡍʹ͸͋Δఔ౓ू໿͍ͯ͠·͢

  7. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  8. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  9. ϦόʔεϓϩΩγͱͯ͠ͷnginx • ϦΫΤετͷϩΪϯά • ΞΫηε੍ޚ • ίϯςϯπͷѹॖɾΩϟογϡ • όοϑΝϦϯά •

    etc…

  10. nginx.confͷઃఆྫ server { listen 443 ssl spdy; server_name xxx.yyy; #

    ϓϩΩγઃఆ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_buffers 50 8k; # ੩తίϯςϯπ͸nginxͰฦ͢ location ~ /(styles|js|images)/ { root /usr/share/zabbix; expires 30d; } # Zabbix(༻ͷgoogle_auth_proxy)΁ϓϩΩγ location / { proxy_pass http://google_auth_proxy_for_zabbix; } }

  11. લஈʹnginxΛஔ͘ϝϦοτ • HTTP or HTTPSαʔόʹඞཁͳλεΫΛҰ௨Γ͜ͳͤΔ • ΞϓϦέʔγϣϯαʔό(e.g. Unicorn)ʹ଍Γͳ͍ػೳΛิ׬ • ωοτϫʔΫϨΠςϯγͷվળ

    • KeepAlive • gzipѹॖ • TLS Session (Cache | Tickets)ɺOCSP Stapling • SPDY • etc…

  12. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  13. HTTPS௨৴ͷߴ଎Խ • ҰൠʹHTTPS௨৴Ͱ͸TCP 3-way handshakeʹՃ͑ͯ TLS 3-way handshake͕ൃੜ͢ΔͷͰHTTP௨৴ΑΓ஗͘ͳΔ • HTTPS௨৴ߴ଎ԽͷͨΊͷࡾछͷਆث

    • TLS Session Cache • TLS Session Tickets • OCSP Stapling

  14. TLS Session Cache • TLSϋϯυγΣΠΫͷηογϣϯ৘ใΛαʔόʹ Ωϟογϡ • nginxͰ͸ڞ༗ϝϞϦ্ʹΩϟογϡ͞ΕΔ • ࣍ճͷTLSϋϯυγΣΠΫΛলུ

    • CPUͷϦιʔεͷ࡟ݮ΍ϨΠςϯγͷղফʹޮՌ͕͋Δ

  15. TLS Session Cache with nginx

  16. TLS Session Tickets • ҉߸Խͨ͠ηογϣϯ৘ใ(νέοτ)ΛΫϥΠΞϯ τʹ౉͢ • νέοτΛݩʹTLSηογϣϯΛ࠶։ • HTTPSαʔόෳ਺୆Ͱηογϣϯ৘ใΛڞ༗Ͱ͖Δ

    • εϚϗͩͱαϙʔτ͍ͯ͠Δ୺຤͕গͳ͍…

  17. TLS Session Tickets with nginx

  18. OCSP Stapling • OCSPʹΑΔSSLূ໌ॻͷࣦޮ֬ೝΛαʔόଆͰߦͬ ͯΩϟογϡ • ΫϥΠΞϯτଆͰ΍ΔͱTLSϋϯυγΣΠΫ࣌ʹϨΠ ςϯγ͕ൃੜ͢Δ • ΍ͬͺΓεϚϗͩͱ͋Μ·ΓରԠͯ͠ͳ͍

    • Google Chrome for iOSͩͱରԠͯͨ͠

  19. OCSP Stapling with nginx ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/xxx.yyy.ocsp.crt;

    resolver xxx.xxx.xxx.xxx valid=30s; resolver_timeout 5s;

  20. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  21. SPDY with nginx

  22. Ͱɺ࣮ࡍͷޮՌ͸ͱݴ͏ͱ

  23. TLS Session (Cache|Tickets) ಋೖλΠϛϯά

  24. TLS Session (Cache|Tickets) ಋೖλΠϛϯά

  25. SPDY 41%:ಋೖͨ͠೔ͷϐʔΫ

  26. ΋͏ͪΐͬͱ۩ମతͳྫ

  27. ೔ຊ͔Βւ֎ͷZabbix dashboardʹΞΫηε

  28. Client • MacBookPro • Google Chrome • HTTP/2༗ޮ • ϒϥ΢βΩϟογϡ͸ৗʹແޮˣ

  29. Server(ॳظঢ়ଶ) • Apache(prefork) + mod_php • த਎͸Zabbix • KeepAlive Off

    • gzipѹॖແޮ • TLS Session Cache & Tickets༗ޮ

  30. Server(ॳظঢ়ଶ) "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ୺ Ϣʔβೝূ

    Zabbix

  31. ύϑΥʔϚϯε(ॳظঢ়ଶ) ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,#   -PBE5JNF TFD   %0.$POUFOU-PBE FE5JNF TFD  

  32. νϡʔχϯά ͦͷ1 KeepAlive On KeepAliveΛ༗ޮʹ͢Δ

  33. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBE FE5JNF TFD TFD TFD

  34. νϡʔχϯά ͦͷ2 <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/css

    AddOutputFilterByType DEFLATE text/js AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/json-rpc </IfModule> gzipѹॖΛ༗ޮʹ͢Δ

  35. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD

  36. νϡʔχϯάͦͷ3 "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ୺ Ϣʔβೝূ

    Zabbix OHJOY 1PSU SSLऴ୺ΛnginxͰߦ͏

  37. νϡʔχϯάͦͷ3 # nginx.conf # in main context worker_processes auto; tcp_nopush

    on; keepalive_timeout 65s; open_file_cache max=1000 inactive=20s; ssl_session_cache shared:SSL:30m; gzip on; gzip_comp_level 9; gzip_types text/css text/plain text/js text/javascript application/javascript application/json-rpc; # in event context accept_mutex_delay 100ms; # in event context ੩తϑΝΠϧ͸શ෦nginxͰ഑৴͢Δ

  38. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD

  39. νϡʔχϯάͦͷ4 listen 443 ssl spdy; SPDY/3.1Λ༗ޮʹ͢Δ

  40. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD ࠷ऴతʹWebϖʔδͷϩʔυ͕࣌ؒ4ඵ͔Β1ඵʹ

  41. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  42. OHJOY

  43. ൚༻ϓογϡ௨஌γεςϜ PS CBUDIαʔό

  44. ·ͱΊ • nginx͸ • ϝϧΧϦ಺ͰαʔϏεɺࣾ಺γεςϜͰ͍ΖΜ ͳՕॴʹڬΜͰ׆༻͍ͯ͠·͢ • L7ϩʔυόϥϯαʔɺϦόϓϩɺSSLऴ୺αʔ όͱͯ͠ͱͯ΋༏ल •

    ࠓޙ΋ར༻Օॴ͕૿͑Δ༧ఆ